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ABSTRACT 


The  ubiquity  of  cellular  technology  has  woven  a  variety  of  services,  now  axiomatic,  into 
modern  social  fabric.  Among  those  services  is  the  ability  to  provide  mobile  user  location. 
Applications  of  these  location-based  services  include  providing  directions,  emergency  ser¬ 
vices,  fraud  protection,  and  direct  marketing.  This  work  provides  in-depth  analysis  of 
cellular  positioning,  which  leverages  the  Long  Term  Evolution  (LTE)  signaling  plane  tim¬ 
ing  advance  (TA)  parameter  for  the  end  of  user  geolocation.  Additionally,  we  propose  a 
novel  method  of  augmenting  TA-based  positioning.  Cellular  Synchronization  Assisted  Re¬ 
finement  (CeSAR).  We  simultaneously  show  CeSAR  to  be  a  network  performance  multiplier 
and  security  vulnerability  vis-a-vis  the  method’s  electromagnetically  passive  nature.  Fur¬ 
thermore,  we  demonstrate  how  CeSAR  improves  positioning  by  adding  system  information 
and  mitigating  the  effects  of  poor  network  infrastructure  geometry.  Through  robust  statisti¬ 
cal  analysis,  we  derive  a  theoretical  lower  bound  on  TA-based  positioning  and  demonstrate 
that  a  statistically  efficient  estimator  is  possible  in  this  context.  Furthermore,  numerical 
studies  are  conducted  with  synthetic  and  empirical  data.  The  real-world  data  are  observed  in 
actual  network  deployments  found  in  geographically  diverse  environments,  such  as  Mary¬ 
land  and  California.  The  results  not  only  demonstrate  the  efficiency  of  the  estimator  but 
show  that  accuracy  on  the  order  of  tens  of  meters  is  possible.  Indeed,  TA-based  positioning 
is  shown  to  be  accurate  on  the  order  of  40  m  in  some  scenarios.  Additionally,  we  demon¬ 
strate  that  CeSAR  is  able  to  passively  provide  improvements  ranging  from  10  to  254  m  over 
TA-only  positioning. 


v 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


vi 


Table  of  Contents 


1  Introduction  1 

2  Background  7 

2.1  Channel  Model .  7 

2.2  Approaches  to  Positioning .  10 

2.3  LTE  Positioning  Protocol .  16 

3  Solution  Approach  19 

3.1  Data  Collection .  19 

3.2  Cellular  Synchronization  Assisted  Refinement .  21 

3.3  Position  Estimation .  22 

3.4  Performance  Metrics .  24 

3.5  Summary .  26 

4  Morphology  of  the  LTE  Timing  Advance  27 

4.1  Time  Alignment  Management  in  LTE .  27 

4.2  Uncertainty  in  the  Timing  Advance .  30 

4.3  Software  Address  Space  in  LTE .  31 

4.4  Timing  Adjustment  Frequency .  32 

4.5  Heterogeneous  Networks .  32 

4.6  Timing  Advance  Positioning  during  Handovers  and  with  Coordinated  Multipoint  33 

4.7  The  Empirical  Timing  Advance .  34 

4.8  The  Timing  Advance  as  a  Location  Privacy  Preserving  Mechanism  ....  37 

5  Cellular  Synchronization  Assisted  Refinement  39 

5.1  The  Cellular  Synchronization  Assisted  Refinement  Algorithm .  39 

5.2  Sensor  Implementation .  42 

5.3  Observability  of  Uplink  Frames .  43 

vii 


6  Theory  of  Random  Variable  Quantization  47 

6.1  The  Cramer- Rao  Lower  Bound  in  Time  of  Arrival  Positioning .  47 

6.2  Geometric  Dilution  of  Precision  in  Time  of  Arrival  Positioning .  50 

6.3  Pathological  Geometries .  53 

6.4  The  Probability  Density  of  a  Quantized  Random  Variable .  54 

6.5  The  Characteristic  Function  of  Quantized  Random  Variable .  57 

6.6  The  Effect  of  Quantization  Bin  Size .  59 

6.7  The  Variance  of  a  Quantized  Random  Variable .  62 

6.8  Information  Loss  in  a  Quantized  Random  Variable .  66 

6.9  A  Lower  Bound  for  the  Variance  of  a  Quantized  Random  Variable .  67 

7  The  Timing  Advance  as  a  Quantized  Random  Variable  71 

7.1  Spatial  Quantization  in  Cellular  Networks .  71 

7.2  A  Maximum  Likelihood  Estimate  and  Lower  Bound  for  Timing  Advance  Posi¬ 
tioning  .  73 

8  Results  79 

8.1  Accuracy  of  Timing  Advanced-Based  Positioning .  79 

8.2  Empirical  CeSAR  Validation .  86 

8.3  Efficiency  in  Timing  Advanced-Based  Positioning .  90 

9  Conclusion  97 

9.1  Significant  Contributions .  97 

9.2  Future  Work .  100 

Appendix  A  Histograms  Representing  the  Error  Associated  with  TA-Based 

Distance  Estimation  103 

Appendix  B  Proof  of  the  Lower  Bound  for  an  Unbiased  Estimator  105 


Appendix  C  Proof  of  the  Maximum  Likelihood  Estimate  and  the  Cramer- Rao 
Lower  Bound  for  Source  Localization  with  Normally  Corrupted 
Measurements  109 

viii 


Appendix  D  Derivation  of  the  Maximum  Likelihood  Estimate  Associated  with 

pN{x)*pu{x)  115 

Appendix  E  Proof  of  the  Variance  of  N'  at  Extrema  of  r  119 

Appendix  F  Proof  that  fV(0)  =  Ao(0),  Vt/f  when  r  =  e  125 

Appendix  G  Sufficient  Condition  for  Var (AO  >  Var(AO  127 

Appendix  H  Link  Budget  for  Empirical  CeSAR  Validation  131 

Appendix  I  GNU  Radio  Code  for  Generating  a  BPSK  PN  Sequence  and  Syn¬ 
chronizing  USRP  Tx/Rx  Chains  135 

List  of  References  141 

Initial  Distribution  List  147 


IX 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


x 


List  of  Figures 

Figure  2.1  The  difference  in  a  multipath  and  NLoS  channel .  9 

Figure  2.2  The  locus  geometry  for  different  multilateration-based  positioning 

schemas  .  12 

Figure  2.3  The  database  correlation  method  of  positioning .  13 

Figure  3.1  The  proposed  scheme  for  TA-based  positioning .  20 

Figure  3.2  The  CeSAR  algorithm .  21 

Figure  3.3  The  method  of  position  estimation .  23 

Figure  3.4  The  circular  error  probable  at  50%,  70%,  and  90%  shown  with  a 

CDF  and  in  simulation .  25 

Figure  4. 1  The  random  access  response  message  format .  28 

Figure  4.2  The  timing  advance  command  format .  29 

Figure  4.3  The  uncertainty  associated  with  TA  distance  measurements  ...  30 

Figure  4.4  Empirical  timing  advance  errors  and  their  relation  to  the  normal 

distribution .  35 

Figure  4.5  Stationary  timing  advance  data  comparing  LoS  and  NLoS  channel 

effects .  36 

Figure  5.1  A  single  eNB  implementation  of  the  CeSAR  algorithm .  39 

Figure  5.2  The  hardware  sensor  configuration  used  in  this  work .  42 

Figure  5.3  An  overview  of  the  salient  logical  signaling  channel  organization  in 

GSM .  43 

Figure  5.4  Radio  resource  allocation  in  GSM .  44 

Figure  5.5  Radio  resource  allocation  in  LTE .  45 


xi 


Figure  6. 1  Annapolis  network  infrastructure  geometry 


48 


Figure  6.2  The  CRLB  and  GDoP  parameterized  by  cr  and  N .  49 

Figure  6.3  The  experimental  setup  of  the  GDoP  investigation .  51 

Figure  6.4  Realized  GDoP  values  for  variable  geometry .  52 

Figure  6.5  Geometric  pathology  in  a  two  eNB  positioning  scenario .  53 

Figure  6.6  The  mapping  of  Q  :  N  i — >  N'  .  55 

Figure  6.7  The  quantization  of  a  normal  RV  .  57 

Figure  6.8  The  mapping  of  Q  :  N  i — >  N'  .  58 

Figure  6.9  The  cumulative  density  function  of  p'N(x)  as  r  — >  0 .  59 

Figure  6.10  The  CF  as  r  — >  oo .  61 

Figure  6.11  The  difference  in  pwix)  for  the  extrema  of  the  shift  factor  \p  .  .  .  64 

Figure  6.12  The  variance  of  AT  for  a  given  shift,  if/  .  65 

Figure  6.13  The  variance  of  a  MLE  of  a  quantized  RV  parameterized  by  r  .  .  68 

Figure  7.1  The  quantization  of  the  TA .  71 

Figure  7.2  The  joint  and  marginal  density  of  the  error  associated  with  TA-based 

positioning .  74 

Figure  8.1  Results  of  positioning  with  synthetic  data  in  a  legacy  network  de¬ 
ployment  .  80 

Figure  8.2  Results  of  positioning  with  synthetic  data  in  handover  scenarios  .  82 

Figure  8.3  The  results  of  positioning  with  synthetic  measurements  within  a 

heterogeneous  network  deployment .  83 

Figure  8.4  The  infrastructure  and  tracks  used  in  two  case  studies  conducted  in 

Monterey,  CA  .  85 

Figure  8.5  Results  from  two  case  studies  conducted  in  Monterey,  CA  ....  86 

xii 


Figure  8.6  The  CeSAR  algorithm  in  field  experimentation .  87 

Figure  8.7  The  experimental  CeSAR  system  setup .  87 

Figure  8.8  The  field  CeSAR  test  site  .  88 

Figure  8.9  Box  plots  of  empirical  CeSAR  validation  measurements .  90 

Figure  8.10  CDF  of  positioning  with  empirical  CeSAR  measurements  ....  91 

Figure  8.11  The  experimental  setup  for  real-world  TA  data .  92 

Figure  8.12  The  performance  of  the  TA-based  MLE  in  various  levels  of  NLoS 

contamination  £ .  93 

Figure  8.13  The  experimental  setup  for  all  real-world  TA  data .  94 

Figure  8.14  The  efficiency  of  CeSAR  and  TA-based  positioning .  95 

Figure  A.  1  Location  A  error  histograms .  103 

Figure  A. 2  Location  B  error  histograms .  103 

Figure  A. 3  Location  C  error  histograms .  104 

Figure  A. 4  Location  D  error  histograms .  104 

Figure  G.l  First-order  variance  approximation  error  .  129 

Figure  H.l  The  link  budget  of  the  CeSAR  validation  experiment .  132 


xiii 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


xiv 


List  of  Tables 


Table  H.l  Correlation  between  USRP  gain  values  and  actual  transmit  powers  131 


xv 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


xvi 


List  of  Acronyms  and  Abbreviations 


3GPP  Third  Generation  Partnership  Project 

A-GNSS  Assisted  Global  Navigation  Satellite  System 

AGCH  Access  Grant  Channel 

AMLE  Approximate  Maximum-Likelihood  Estimate 

BCH  Broadcast  Channel 

BPSK  Binary  Phase-Shift  Keying 

BTS  Base  Transceiver  Station 

BSC  Base  Station  Controller 

BSS  Base  Station  Subsystem 

C-RNTI  Cell-Radio  Network  Temporary  Identifier 

CCCH  Common  Control  Channel 

CDF  Cumulative  Distribution  Function 

CE  Control  Element 

CEP  Circular  Error  Probable 

CF  Characteristic  Function 

CeSAR  Cellular  Synchronization  Assisted  Refinement 

CoMP  Coordinated  Multipoint 

CRC  Cyclic  Redundancy  Check 

CRLB  Cramer- Rao  Lower  Bound 


xvu 


DCCH  Dedicated  Control  Channel 


E-911  Enhanced  911 

E-CID  Enhanced  Cell  Identification 

E-UTRA  Evolved  UMTS  Terrestrial  Radio  Access 

EARFCN  E-UTRA  Absolute  Radio  Frequency  Carrier  Number 

eNB  enhanced  Node  B 

E-SMLC  Enhanced-Serving  Mobility  Location  Center 

FCC  Federal  Communications  Commission 

FDoA  Frequency  Difference-of-Arrival 

FFT  Fast  Fourier  Transform 

GDoP  Geometric  Dilution  of  Precision 

GPS  Global  Positioning  System 

GSM  Global  System  for  Mobile  Communications 

IMSI  International  Mobile  Subscriber  Identity 

LBS  Location-Based  Services 

LoS  Line-of-Sight 

LPP  LTE  Positioning  Protocol 

LPPM  Location  Privacy  Preserving  Mechanism 

L1/L2  Layer  1/Layer  2 

LFSR  Linear  Feedback  Shift  Register 

LTE  Long  Term  Evolution 

LTE-A  Long  Term  Evolution  Advanced 

xviii 


MAC  Medium  Access  Control 

MIB  Master  Information  Block 

MSE  Mean-Squared  Error 

NLoS  Non-Line  of  Sight 

ODTOA  Observed  Time-Difference-of-Arrival 

OFDM  Orthogonal  Frequency-Division  Multiplexing 

OFDMA  Orthogonal  Frequency-Division  Multiple  Access 

PCell  Primary  Serving  Cell 

PDCCH  Physical  Downlink  Control  Channel 

PDCP  Packet  Data  Convergence  Protocol 

PDF  Probability  Density  Function 

PMF  Probability  Mass  Function 

PN  Pseudo-Noise 

PRS  Positioning  Reference  Signal 

PSS  Primary  Search  Signal 

PUCCH  Physical  Uplink  Control  Channel 

RACH  Random  Access  Channel 

RAR  Random  Access  Response 

RF  Radio  Frequency 

RFPM  Radio  Frequency  Pattern  Matching 

RLC  Radio  Link  Control 

RMSE  Root  Mean-Squared  Error 


xrx 


RNTI  Radio  Network  Temporary  Identifier 

RRC  Radio  Resource  Control 

RSRP  Reference  Signal  Received  Power 

RSRQ  Reference  Signal  Received  Quality 

RV  Random  Variable 

RX  Receive 

SCell  Secondary  Serving  Cell 

SDCCH  Standalone  Dedicated  Control  Channel 

SDR  Software  Defined  Radio 

SIB  Secondary  Information  Block 

SSS  Secondary  Search  Signal 

TA  Timing  Advance 

TAG  Timing  Advance  Group 

TCH  Transport  Channel 

ToA  Time-of-Arrival 

TDoA  Time-Difference-of-Arrival 

TX  Transmit 

UE  User  Equipment  (i.e.,  cellular  mobile  device) 
UMTS  Universal  Mobile  Telecommunication  System 
USRP  Universal  Software  Radio  Peripheral 

UTDOA  Uplink  Time-Difference-of-Arrival 
WiMAX  Worldwide  Interoperability  for  Microwave  Access 


xx 


Executive  Summary 


Over  the  past  decade,  the  world  has  seen  a  dramatic  increase  in  web-based  interconnected¬ 
ness,  which  stems  largely  from  the  proliferation  of  cellular  technology.  Cellular  technology’s 
role  in  connecting  mobile  users  has  ushered  it  into  a  golden  age  of  relevance  in  the  research 
community.  Cellular  technology  is  thus  the  focus  of  network  and  security  researchers  alike. 

Providing  a  user  location  within  the  context  of  cellular  networks  has  also  long  been  the 
subject  of  study  and  marketed  as  location-based  services  (LBS).  The  nascence  of  LBS  is  such 
that  it  has  been  estimated  that  the  general  application  of  this  technology  for  non-emergency 
services  will  generate  approximately  15  billion  dollars  annually  [1],  This  economic  boon 
has  fueled  this  direction  in  mobile  device  location  and  the  creation  of  the  current  corpus 
of  research.  Applications  of  LBS  include  location-sensitive  billing,  fraud  protection,  asset 
tracking,  fleet  management,  surveillance  [1],  and  various  other  services  for  autonomous 
vehicles  and  wireless  networks.  Marketing  applications  also  abound,  exploiting  a  user’s 
location  for  directed  advertising  and  promotions  [2].  Finally,  as  the  social  fabric  of  our 
society  extends  into  digital  domains,  services  like  Facebook  and  Foursquare  increasingly 
leverage  LBS  to  share  information  about  a  user’s  location. 

We  propose  a  novel  method  of  passive  subscriber  geolocation  inside  a  cellular  network. 
Due  to  the  ubiquity  of  the  Long  Term  Evolution  (LTE)  standard,  we  focus  specifically  on 
this  technology  but  acknowledge  that  the  methodology  could  easily  be  translated  to  other 
protocols  such  as  the  Worldwide  Interoperability  for  Microwave  Access  (WiMAX).  In  the 
context  of  LTE,  we  submit  the  signaling  plane  and  specifically  the  timing  advance  (TA) 
parameter  to  this  end  of  user  geolocation.  This  parameter  is  primarily  responsible  for 
managing  user  mobility  in  various  time  division  multiple  access-based  cellular  networks. 
Specifically,  this  is  accomplished  via  the  TA  by  advancing  or  retarding  a  mobile  device’s 
uplink  transmission  time  relative  to  the  device  distance  from  the  serving  base  station.  In 
this  way,  as  mobile  devices  move  throughout  the  serving  area  uplink  collisions  resulting 
in  changing  propagation  delays  are  mitigated  [3].  It  is,  however,  well-known  that  the 
TA  can  be  used  to  estimate  mobile  equipment  distance  from  serving  base  stations  [4]. 
Despite  this,  there  is  not  a  rigorous  analysis  of  the  best  possible  positioning  accuracy  of 
this  method.  Additionally,  we  propose  a  method  of  augmenting  TA-based  positioning, 


Cellular  Synchronization  Assisted  Refinement  (CeSAR),  to  further  improve  the  accuracy 
of  TA-based  positioning. 

CeSAR  is  an  entirely  passive  method  of  augmenting  TA-based  positioning  with  a  simple 
sensor  located  in  the  serving  cell.  At  the  heart  of  CeSAR  is  the  ability  to  glean  additional 
distance  information  from  the  TA  by  learning  when  the  user  is  scheduled  to  transmit  an 
uplink  burst.  This  enables  measurement  of  the  time  of  flight  of  that  uplink  burst  from  the 
user  to  the  sensor.  This  information  can  be  combined  with  the  standard  user  to  base  station 
distance  traditionally  inferred  from  a  TA. 

In  this  work,  we  examine  the  TA  as  a  means  to  position  estimation  both  with  and  without 
CeSAR  augmentation.  We  provide  new  complementary  statistical  analysis  of  the  TA  from 
which  is  derived  a  lower  bound  on  TA-based  position  estimation.  Furthermore,  we  use  this 
analysis  to  show  how  certain  parameters  of  LTE  have  indirectly  resulted  in  it  being  possible 
to  provide  a  consistently  accurate  position  estimate.  This  has  not  been  possible  in  older 
standards  such  as  the  Global  System  for  Mobile  Communications  (GSM).  We  use  simulated 
and  real-world  data  collected  in  existing  modern  LTE  networks  to  validate  assumptions 
about  the  error  distribution  of  TAs,  the  lower  bound  on  positioning  accuracy,  and  TA-based 
positioning  accuracy  with  and  without  CeSAR  augmentation.  In  these  studies,  significant 
attention  is  given  to  TA-based  geolocation  in  future  heterogeneous  networks.  Our  analysis 
and  field  experimentation  suggest  that  accuracies  of  40  m  to  120  m  are  possible. 
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CHAPTER  1: 

Introduction 


Over  the  past  decade,  the  world  has  seen  a  dramatic  increase  in  web-based  interconnected¬ 
ness  enabled  largely  through  the  proliferation  of  cellular  technology.  Cellular  technology’s 
role  in  connecting  mobile  users  has  ushered  it  into  a  golden  age  of  relevance  in  the  research 
community.  Cellular  technology  is  thus  the  focus  of  network  and  security  researchers  alike. 

The  attention  cellular  technology  has  garnered  from  network  researchers  is  fueled  by  the 
public’s  insatiable  appetite  for  faster  data  rates.  Indeed,  some  estimates  project  a  1000-fold 
increase  in  cellular  network  capacity  over  the  next  several  years  [1].  Currently,  in  North 
America,  a  LTE  subscriber  uses  approximately  3.7  GB  a  month.  Over  the  next  five  years, 
the  average  LTE  user’s  data  consumption  is  expected  to  increase  to  22  GB  a  month  [2]. 
Increasingly,  the  solution  to  this  capacity  demand  is  centering  on  the  Long  Term  Evolution 
(LTE)  and  LTE- Advanced  (LTE -A)  protocols  as  the  specific  enabling  technologies.  To  wit, 
LTE  subscribers  are  projected  to  increase  from  1.1  billion  in  2015  to  4.3  billion  over  the  next 
five  years  [2].  Additionally,  LTE-A  subscriptions  are  projected  to  increase  to  500  million 
by  2018,  making  massive  data  rates  expected  from  LTE-A  a  global  reality  [3].  Given  these 
projections,  it  is  easy  to  see  why  network  researchers  continue  to  probe  the  boundaries 
of  achievable  cellular  capacity.  Due  to  the  prevalence  of  LTE,  we  frame  our  discussion 
throughout  this  work  in  the  context  of  this  specific  protocol,  while  acknowledging  the 
potential  for  the  translation  of  fundamental  ideas  to  other  technologies  (e.g.,  Worldwide 
Interoperability  for  Microwave  Access  [WiMAX]). 

The  burgeoning  ubiquity  of  cellular  networks  has  also  been  the  impetus  for  research  not 
directly  related  to  increasing  capacity.  Specifically  in  the  arena  of  positioning  in  cellular 
networks,  the  Federal  Communication  Commission’s  (FCC)  E-911  mandate  has  been  es¬ 
pecially  prevalent  in  stoking  the  research  [4].  This  mandate  enables  emergency  services  by 
requiring  cellular  operators  to  provide  the  location  of  a  cellular  device  with  specific  bounds 
on  accuracy.  Put  forth  in  a  series  of  phases,  the  mandate  ultimately  requires  accuracy  to 
within  100  m  67%  of  the  time  and  300  m  95%  of  the  time  for  network-based  techniques, 
and  50  m  67%  of  the  time  and  150  m  95%  of  the  time  for  handset-based  techniques  [5]. 
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This  work  in  cellular  positioning  likely  served  as  inspiration  for  application  of  this  technol¬ 
ogy  in  other  related  areas  generically  termed  location-based  services  (LBS).  LBS  is  a  nascent 
use  of  positioning  technology;  it  is  estimated  that  the  general  application  of  this  technology 
for  non-emergency  services  will  generate  approximately  15  billion  dollars  annually  [6]. 
This  economic  boon  has  fueled  this  direction  in  mobile  device  location  and  the  creation  of 
the  current  corpus  of  work  (e.g.,  [6]— [10]).  Applications  of  LBS  include  location-sensitive 
billing,  fraud  protection,  asset  tracking,  fleet  management,  surveillance  [6],  and  various 
other  services  for  autonomous  vehicles  and  wireless  networks.  Marketing  applications  also 
abound,  exploiting  a  user’s  location  for  directed  advertising  and  promotions  [10].  Finally, 
as  the  social  fabric  of  our  society  extends  into  digital  domains,  services  like  Facebook  and 
Foursquare  increasingly  leverage  LBS  to  share  information  about  a  user’s  location. 

However,  as  the  cellular  market  careens  towards  massive  data  rates,  the  market  and  research 
community  would  be  wise  to  consider  the  second  order  effects  of  these  technological 
advances.  Specifically,  user  privacy  is  an  emerging  consideration.  In  the  context  of  LBS, 
the  microcosm  of  user  location  privacy  is  of  particular  interest.  Privacy  can  be  defined 
as  [11]  “the  claim  of  individuals,  groups,  or  institutions  to  determine  for  themselves  when, 
how,  and  to  what  extent  information  about  them  is  communicated  to  others.”  The  scope 
of  this  definition  can  be  further  refined  to  consider  only  location  privacy  as  “the  ability  to 
prevent  other  parties  from  learning  one’s  current  or  past  location”  [12].  These  definitions 
subsume  ideas  many  hold  about  privacy  and  simultaneously  give  pause  when  location 
data  sets  are  used  in  applications  such  as  sociological  and  market  studies,  optimal  cell 
tower  placement,  or  traffic  monitoring  [13].  Despite  the  fact  that  these  data  are  usually 
anonymized,  it  has  been  shown  that  that  anonymity  may  not  be  as  strong  as  previously 
thought.  For  instance,  remarkable  precision  has  been  demonstrated  in  deanonymization 
attacks  that  use  computational  means  such  as  Markov  modeling  in  attributing  specific  users 
to  anonymized  data  [13]. 

As  technology  moves  forward,  preserving  these  definitions  of  privacy  becomes  more  obscure 
and  less  axiomatic.  This  difficulty  stems  from  two  points.  First,  the  preservation  of  privacy 
is  obscure  because  it  is  nuanced  in  implementation.  One  of  the  main  objectives  of  this 
work  is  to  demonstrate  how  privacy  is  connected  in  ways  that  are  not  directly  obvious  to 
seemingly  unrelated  network  parameters.  Second,  the  preservation  of  location  privacy  is 
less  axiomatic  because  users  are  either  not  aware  of  the  dangers  to  their  privacy  or  are 
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apathetic  to  these  dangers.  For  instance,  one  study  [14]  reported  that  250  users  willingly 
turned  over  two  weeks’  worth  of  their  driving  GPS  data  in  return  for  a  1  in  100  chance  of 
winning  a  $200  MP3  player.  Furthermore,  of  the  250  individuals  in  the  study,  97  were  asked 
if  their  data  could  be  shared  with  a  third  party  and  only  20°/c  refused.  The  trend  indicated 
by  this  study  is  representative  of  other  similar  studies  [15]— [17] . 

This  work  addresses  the  problem  of  mobile  device  location  in  cellular  networks.  To  this 
end,  we  enumerate  several  objectives  framed  from  two  different  perspectives:  the  network 
operator’s  perspective  and  the  vulnerability  analyst’s  perspective.  First,  from  the  network 
operator’s  perspective,  we  seek  a  cellular  geolocation  solution  with  the  following  two 
requirements: 

1.  An  accurate  position  estimate. 

2.  A  minimal  impact  on  network  performance. 

The  first  objective  follows  as  an  ad  oculos  requirement  since  it  is  obvious  that  a  more 
accurate  position  estimate  is  preferable  compared  to  a  less  accurate  estimate.  However, 
more  accurate  position  estimates  usually  come  at  a  cost.  For  instance,  in  the  case  of 
certain  positioning  schemes  that  will  be  detailed  later,  accuracy  may  be  bought  by  spending 
more  time  training  a  model  [18],  [19].  Therefore,  rather  than  search  for  the  most  accurate 
position  estimate,  we  seek  the  position  estimate  that  is  accurate  enough  in  light  of  the 
second  requirement.  For  instance,  in  the  context  of  social  media,  a  position  estimate  that  is 
accurate  to  within  50  m  may  be  preferable  to  a  position  estimate  that  is  accurate  to  10  m  if 
the  former  estimate  can  be  made  with  no  impact  to  the  network  performance.  To  the  point, 
it  may  be  that  the  latter  estimate  requires  interfacing  with  the  network,  perhaps  to  exchange 
positioning  requests  or  to  send  a  reference  signal.  This  exchange  requires  network  resources 
that  could  otherwise  be  used  for  raw  data  throughput.  It  is  in  these  scenarios  where  our 
solution  space  lies. 

Next,  from  the  perspective  of  the  vulnerability  analyst  we  examine  the  cellular  protocol  to 
the  end  of  evaluating  its  ability  to  preserve  a  user’s  location  privacy.  Specifically,  we  seek 
to  answer  the  following  questions: 

1 .  To  what  extent  is  a  user’s  location  information  leaked  in  LTE  cellular  side  channels? 

2.  What  is  the  cost  of  accessing  location  information  leakage  in  LTE? 
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Location  privacy  and  the  accuracy  of  the  position  estimate  are  intrinsically  linked  in  that 
they  are  at  least  inversely  proportional  [20].  This  inverse  proportionality  follows  from 
the  fact  that  as  information  about  a  user’s  whereabouts  becomes  more  accurate  that  user’s 
privacy  necessarily  decreases.  Thus,  as  the  first  question  from  the  security  analyst’s  per¬ 
spective  is  answered,  the  parameters  constraining  the  network  operator’s  first  requirement 
are  constructed.  We  will  later  show  that,  in  particular,  the  signaling  plane  carries  a  sig¬ 
nificant  amount  of  location-based  information.  Moreover,  this  information  is  available  in 
plaintext  to  any  passive  listener  lowering  the  cost  of  observation  and  making  the  observation 
reasonably  covert. 

We  then  proceed  with  this  dual  perspective.  In  both  cases,  the  most  accurate  solution 
is  required  such  that  passive  observation  is  still  preserved.  We  begin  in  Chapter  2  with 
some  necessary  preliminaries,  such  as  the  wireless  channel  model  that  will  frame  the 
discussion  in  the  remainder  of  the  work.  Chapter  2  then  concludes  with  a  survey  of  modern 
positioning  schemas,  including  the  positioning  protocol  currently  specified  by  the  LTE 
standard  to  provide  mobile  user  location.  The  proposed  solution  approach  is  then  introduced 
in  Chapter  3.  We  begin  to  explore  in  detail  our  solution  approach  in  Chapter  4  where  we 
introduce  the  main  mechanism  on  which  our  approach  will  rely,  the  LTE  signaling  plane’s 
timing  advance  (TA)  parameter.  Chapter  5  then  details  CeSAR,  an  entirely  passive  method 
by  which  more  information  can  be  gleaned  from  the  TA  in  order  to  improve  the  position 
estimate.  Next,  in  Chapters  6  and  7,  we  conduct  a  rigorous  statistical  analysis  of  TA-based 
positioning.  This  analysis  will  reveal  an  analytical  lower  bound  on  achievable  performance 
and  show  how,  with  the  advent  of  tighter  timing  alignment  that  supports  higher  data  rates, 
LTE  has  turned  a  statistical  corner.  An  indirect  result  of  more  strict  timing  alignment  is  a 
much  more  consistent  leak  of  location-based  data  than  some  of  the  legacy  cellular  standards 
like  the  Global  System  for  Mobile  Communications  (GSM).  The  analytical  results  will  then 
be  evaluated  in  Chapter  8  through  the  use  of  synthetic  and  empirical  data.  It  will  be  shown 
that  a  statistically  efficient  estimator  for  TA-based  positioning  is  possible,  and  expected 
performance  bounds  for  the  proposed  scheme  will  be  developed.  The  present  work  and 
major  contributions  are  summarized  in  Chapter  9  before  suggestions  for  future  work  are 
discussed. 

The  contents  of  this  dissertation  have  been  revised  from  previous  work  already  published  or 
in  publication  by  the  author.  Specifically,  Sections  2.1,  2.2.4,  2.2.5,  4.8,  5.3,  and  8.1.2  are 
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revised  from  “Location  Privacy  in  LTE:  A  Case  Study  on  Exploiting  the  Cellular  Signaling 
Plane’s  Timing  Advance”  by  John  Roth,  Murali  Tummala,  John  McEachen,  and  James 
Scrofani  to  be  published  in  the  proceedings  of  the  50th  Hawaii  International  Conference 
on  System  Sciences  in  January  2017  [28].  Sections  2.3,  4. 1-4.6  and  8.1.1  are  revised 
from  “Cellular  Synchronization  Assisted  Refinement  (CeSAR):  A  Method  for  Accurate 
Geolocation  in  LTE-A  Networks”  by  John  Roth,  Murali  Tummala,  and  James  Scrofani 
published  in  the  proceedings  of  the  49th  Hawaii  International  Conference  on  System  Sciences 
in  January  2016  [24].  Sections  4.7,  6.1,  and  6.2  are  revised  from  “Maximum  Likelihood 
Geolocation  in  LTE  Cellular  Networks  Using  the  Timing  Advance  Parameter”  by  John 
Roth,  Murali  Tummala,  John  McEachen,  James  Scrofani,  and  Robert  DeGabriele  to  be 
published  in  the  proceedings  of  the  10th  International  Conference  on  Signal  Processing 
and  Communication  Systems  in  December  2016.  Sections  5.1,  6.4-6. 9,  and  8.3.2  are 
revised  from  “On  Location  Privacy  in  LTE  Networks”  by  John  Roth,  Murali  Tummala,  John 
McEachen,  and  James  Scrofani  which  has  been  submitted  for  publication. 
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CHAPTER  2: 
Background 


In  this  section,  we  present  the  necessary  background  and  review  the  current  state-of-the-art 
in  wireless  geolocation.  First,  we  introduce  the  wireless  channel  as  a  necessary  preliminary. 
This  is  the  channel  model  that  the  remainder  of  the  background  and  the  main  body  of 
presented  work  itself,  will  reference.  Next,  we  introduce  various  methods  of  positioning  in 
the  context  of  cellular  networks.  Finally,  we  introduce  the  current  method  of  positioning  in 
our  target  technology,  LTE. 

This  section  includes  material  adapted  from  work  previously  published  by  the  author. 
Specifically,  Section  2. 1  is  revised  from  “Maximum  Likelihood  Geolocation  in  LTE  Cellular 
Networks  Using  the  Timing  Advance  Parameter”  by  John  Roth,  Murali  Tumala,  John 
McEachen,  James  Scrofani,  and  Robert  DeGabriele  to  be  published  in  the  proceedings 
of  the  10th  International  Conference  on  Signal  Processing  and  Communication  Systems 
in  December  2016  [21].  Sections  2.2.4  and  2.2.5  are  revised  from  “Location  Privacy 
in  LTE:  A  Case  Study  on  Exploiting  the  Cellular  Signaling  Plane’s  Timing  Advance” 
by  John  Roth,  Murali  Tummala,  John  McEachen,  and  James  Scrofani  to  be  published 
in  the  proceedings  of  the  50th  Hawaii  International  Conference  on  System  Sciences  [28]. 
Section  2.3  is  revised  from  “Cellular  Synchronization  Assisted  Refinement  (CeSAR):  A 
Method  for  Accurate  Geolocation  in  LTE-A  Networks”  by  John  Roth,  Murali  Tummala, 
and  James  Scrofani  published  in  the  proceedings  of  the  49th  Hawaii  International  Conference 
on  System  Sciences  in  January  2016  [24]. 


2.1  Channel  Model 

In  this  section,  we  describe  the  wireless  channel  mathematically  in  the  context  of  distance 
estimation.  We  pay  specific  attention  to  errors  associated  with  standard  distance  estimation, 
TA-related  error,  and  non-line-of-sight  (NLoS)  channels. 

In  positioning-based  models,  a  common  overall  representation  of  the  distance  relationship 
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between  an  anchor  point  and  a  position  to  be  estimated  is  given  by 


d  =  d  +  £  (2.1) 

where  d  -  [d\,  do,  . .  . ,  cInV  are  the  observed  measured  distances  from  the  N  base  stations, 
termed  in  the  LTE  lexicon  enhanced  node-Bs  (eNBs),  d  =  [d\,  do, . . . .  c/.v]7  are  the  actual 
distances,  and  £  =  [£i,  ■  ■  ■  ,^nV  are  the  set  of  errors  corrupting  the  true  distances. 

Distance  is  defined  as  d  =||  po  -  p/  1 1  where  ||  •  ||  is  the  Euclidean  norm  and  po  =  [.ro,  yo]T 
is  the  actual  location  of  the  position  to  be  estimated  and  p,  =  t/,  ]r  is  the  position  of  the 

Ith  anchor  point  or  base  station.  We  hereafter  refer  to  anchor  points  exclusively  as  eNBs 
and  the  mobile  device  whose  position  will  be  estimated  as  user  equipment  (UE)  in  keeping 
with  the  cellular  vernacular.  The  set  of  measured  distances  d  are  then  used  to  determine  a 
position  estimate  via 

P  =  f(d)  (2.2) 

where  /(•)  is  some  function  making  use  of  available  information  and  p  =  [Jc,  y  ] 7  is  the 
position  estimate.  For  our  application,  /(•)  represents  a  fusion  of  the  observed  data  in  d. 

The  noise  vector  £  is  the  source  of  distance  estimation  error  which  virtually  guarantees  that 
II  Po  —  P  II  >  0,  and  is  of  particular  interest  in  all  types  of  wireless  positioning.  As  a  first 
approximation  of  £,  let 

6  =  Xi  (2.3) 

such  that  Xi  ~  Af(0,  err)  is  a  normal  zero-mean  random  variable  (RV)  with  some  variance 
err.  This  is  typically  used  to  model  measurement  noise  and  may  be  appropriate  in  some 
channel  conditions,  for  example,  if  a  line-of-sight  (LoS)  condition  exists  between  the  trans¬ 
mitter  and  receiver  [7] .  LoS  conditions  imply  that  there  are  no  physical  obstructions  between 
the  transmitter  and  receiver  in  the  wireless  channel.  Common  applications  of  this  simplified 
noise  model  include  the  global  positioning  system  (GPS)  and  rural  multilateration. 

Next  we  expand  on  (2.3)  in  order  to  describe  a  £  that  is  tailored  to  errors  associated  with 
TA-based  ranging  measurements.  The  TA  is  a  control  plane  parameter  used  by  the  network 
to  take  into  account  propagation  delay  between  a  UE  and  eNB  when  synchronizing  the 
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(a)  Multipath  (b)  NLoS 

Figure  2.1.  The  difference  in  a  multipath  and  NLoS  channel 


UE’s  uplink  burst1  [22].  The  TA  is  a  discrete  quantity,  thus  the  error  associated  with  the 
TA  ranging  measurement  is  classically  approximated  as  essentially  a  quantization  noise 
term.  Specifically,  in  LTE,  the  TA  has  a  quantization  interval  of  78.125  meters  [23],  [24]. 
Therefore,  under  this  ideal  model,  error  can  be  modeled  as 

6  =  0>i  (2.4) 

where  o>,-  is  the  quantization  error  associated  with  the  zth  TA  measurement  error.  This 
simplification  of  TA-based  error  is  nuanced,  and  thus,  a  significant  body  of  the  present 
work  is  dedicated  to  bringing  to  light  the  conditions  under  which  this  assumption  can  be 
made.  Commonly,  this  error  is  modeled  ideally  as  a  uniformly-distributed  RV  [24]-[26]. 
However,  for  realistic  applications,  this  model  alone  may  not  hold.  Research  in  GSM 
and  LTE  networks  has  shown  that  the  TA  may  be  more  accurately  modeled  by  a  normal 
distribution  [27]-[29]  or  approximately  normal  distribution  [21],  as  described  by 

ft  =  Xi  +  <*>i  (2.5) 

which  is  consistent  with  the  empirical  data  presented  in  this  work  (cf.  Chapter  4).  This 
indicates  that  the  TA  transition  areas  are  not  hard  transitions  as  commonly  assumed,  but 
rather  have  fuzzy  boundaries  or  transition  zones.  This  can  be  explained  by  time-varying 
channel  conditions  as  well  as  errors  associated  with  distance  estimation  at  the  eNB  (which 
is  ultimately  responsible  for  calculating  the  UE  distance  and  issuing  a  TA). 

In  some  use  cases,  the  error  cannot  be  accurately  modeled  by  (2.5)  either.  For  instance, 

'Further  analysis  of  the  inner  workings  and  details  of  the  TA  will  be  the  exclusive  subject  of  a  subsequent 
chapter. 
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in  physically  dense  environments  (e.g.,  urban  canyons),  the  channel  is  often  polluted  by 
buildings,  skyscrapers,  and  the  like,  which  obstruct  the  LoS  from  the  UE  to  the  eNB.  At 
the  very  least,  this  results  in  a  multipath  scenario,  shown  in  the  left  pane  of  Figure  2.1.  In 
multipath  propagation,  the  signal  arrives  at  the  receiver  via  at  least  one  reflected  path,  which 
will  travel  some  non-minimal  distance.  There  may  be  a  LoS  component;  however,  it  is  not 
guaranteed  to  be  the  strongest  of  the  arriving  signal  components.  For  instance,  two  reflected 
paths  may  add  constructively  at  the  receiver  to  provide  a  combined  signal  strength  larger 
than  that  of  the  LoS  component.  In  severe  cases,  there  will  be  no  LoS  component,  as  in  the 
right  pane  of  Figure  2.1,  and  the  channel  can  be  described  as  non-line  of  sight  (NLoS).  In 
these  scenarios,  the  distance  error  will  always  be  positively  biased,  since  all  signal  paths 
travel  some  non-minimal  distance,  and  the  noise  model  can  be  extended  such  that 

ft  =  Xi  +  +  T]i  (2.6) 

where  77/  is  some  positively-biased  RV  representing  the  error  associated  with  NLoS  con¬ 
ditions  between  the  UE  and  the  ith  eNB.  Popular  models  for  rj  include  an  exponential 
distribution  [30],  a  uniform  distribution  [31],  a  positively-biased  normal  distribution  [7], 
[27],  [30],  and  a  Rayleigh  distribution  [30].  Common  applications  of  this  NLoS  noise 
model  include  positioning  in  dense  urban  environments  or  indoor  scenarios. 

Given  (2.6),  £  is  a  random  vector  where  the  probability  density  function  (PDF)  of  each 
element  is  the  result  of  a  double  convolution 


PaCft)  =  Px(Xi)  *  Pn(oJi)  *  pN{Tp).  (2.7) 

Depending  on  what  distribution  types  are  used  for  each  RV  a  closed-form  solution  for  pa(^) 
may  not  be  possible.  For  now  we  leave  these  distributions  as  generically  defined  and  later 
ascribe  specific  distribution  types  to  them.2 

2.2  Approaches  to  Positioning 

In  this  section,  we  provide  a  brief  taxonomy  of  relevant  traditional  techniques  in  wireless 
localization.  We  then  provide  a  review  of  previous  work  in  TA-based  positioning.  For 

2This  section  was  revised  from  [21], 
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the  purposes  of  our  taxonomy,  the  positioning  system  will  consist  of  several  eNBs  whose 
positions  are  known  and  a  target  to  be  located.  Additionally,  the  target  is  assumed  to  be 
emitting  a  radio  frequency  (RF)  signal  with  known  content  and  transmit  power. 

2.2.1  Multilateration 

The  first  class  of  positioning  solutions  in  our  taxonomy  is  multilateration.  In  this  solution 
approach,  the  distance  of  the  target  is  estimated  from  several  eNBs.  Those  distance  estimates 
are  then  fused  into  a  position  estimate  via  some  nonlinear  function,  /(•)•  The  first  of  the 
multilateration-based  techniques  measures  the  received  signal  strength  (RSS)  from  multiple 
eNBs.  Because  the  strength  of  the  signal  is  known  a  priori ,  a  path  loss  model  is  used  to 
estimate  the  eNB -target  distance.  This  received  signal  strength  model  leans  heavily  on  an 
exact  known  broadcast  strength  and  an  accurate  model  of  the  path  loss  X  [7],  [8]  classically 
described  by 

(And\ 

X  =  y  10  log  I  —  j  (2.8) 

where  d  is  the  is  the  propagation  distance,  the  path  loss  exponent  y  models  the  propagation 
environment,  and  the  wavelength  A  is  set  by  the  transmit  frequency. 

A  position  can  also  be  estimated  through  multilateration  via  time-of-arrival  (ToA)  calcula¬ 
tion.  This  solution  leverages  knowledge  of  the  signal’s  time  of  flight  and  propagation  speed 
to  calculate  the  eNB-target  distance  to  produce  a  circular  locus  such  as  that  shown  in  the 
left  pane  of  Figure  2.2.  Because  this  technique  is  highly  sensitive  to  variations  in  time, 
it  assumes  a  very  precisely  synchronized  system.  Notably,  not  only  do  the  eNBs  need  to 
be  synchronized  in  time,  but  the  target  must  also  be  synchronized  [7],  [8].  The  position 
estimate  is  then  made  by  some  means  from  the  resulting  system  of  equations 

(x-xi)2  +  (y  -  yi )2  =  d] 

(x-x2f  +  (y-  yi)2  =  d\ 

(2.9) 

(x  -  xN)2  +  (y  -  yN)2  =  <PN 

which,  if  any  error  is  present,  will  likely  be  inconsistent  for  N  >  2  eNBs  or  underdetermined 
for  all  other  N. 
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(a)  ToA  &  RSS  (b)  TDoA  &  FDoA 

Figure  2.2.  The  locus  geometry  for  different  multilateration-based  position¬ 
ing  schemas.  Note  that  for  the  TDoA  and  FDoA  techniques,  N  -  1  loci  are 
produced  while  in  ToA  and  RSS  N  loci  are  realized. 

The  final  solution  to  multilateration  is  time-difference-of-arrival  (TDoA).  This  technique 
uses  the  time  difference  of  arrival  to  calculate  the  position  estimate.  In  this  way,  the  signal’s 
absolute  time  of  flight  is  not  needed,  rather  only  the  differences  in  time  of  flight  is  required. 
These  measurements  result  in  hyperbolic  loci  where  the  eNBs  are  the  foci  of  the  hyperbolae 
described  by 

(O  -  xif  +  (y-  yd2)  -  (U  -  xj)2  +  (y  -  yj)2)  =  A d\ij}  v iff  i  a  j.  (2.10) 

One  main  advantage  of  this  technique  over  the  ToA  technique  is  that,  while  the  eNBs  still 
require  strict  time  synchronization,  the  target  need  not  be  synchronized  [7],  [8] 3.  On  the 
other  hand,  TDoA  will  always  produce  one  less  equation  in  (2.10)  than  in  (2.9),  thus  while 
a  minimum  of  N  =  3  eNBs  are  required  for  a  two  dimensional  fix  with  ToA,  N  =  4  eNBs 
is  required  for  a  two  dimensional  fix  with  TDoA 

One  notable  limitation  of  multilateration  techniques  is  that  they  assume  the  RF  signal 
is  transiting  the  minimal  transmitter-receiver  distance.  As  we  have  seen  in  a  multipath 
environment,  and  especially  NLoS  channels,  this  may  not  be  the  case.  Therefore,  the 
performance  of  these  techniques  is  additionally  tied  to  the  assumption  of  a  LoS  channel. 
This  assumption  will  not  hold  in  some  channels  which  include  indoor  and  dense  urban 
environments. 
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Figure  2.3.  The  database  correlation  method  of  positioning  where  a  radio 
signature  D  is  compared  to  database  elements  £>,  collected  a  priori  at  certain 
locations.  The  location  at  which  the  closest  database  element  match  was 
taken  is  used  as  the  position  estimate. 

2.2.2  Database  Correlation 

A  popular  alternative  to  multilateration  methods  is  the  database  correlation  technique  (also 
known  as  “fingerprinting”  or  “radio  frequency  pattern  matching”).  This  technique  seeks  to 
leverage  spatial  diversity  in  a  multipath  environment  to  improve  positioning.  To  this  end, 
radio  signatures  are  collected  at  various  locations  and  stored  in  some  database  £).  Signatures 
that  have  been  previously  used  and  demonstrated  as  effective  include  the  channel  impulse 
response  [33],  [34],  the  RSS  [19],  [35],  observable  cell  IDs  [18],  [36],  [37],  and  network 
parameters  such  as  the  TA  [38],  [39].  This  database  of  radio  signatures  is  then  compared 
with  measurements  made  online,  £>.  The  location  at  which  the  closest  database  match 
was  taken  is  used  as  the  position  estimate.  While  the  database  correlation  method  can  be 
robust  in  multipath  environments,  it  has  a  large  database  creation  (i.e.,  database  training) 
and  maintenance  cost  [18],  [19].  Additionally,  it  is  easy  to  see  that  accuracy  can  be  tied  to 
database  size.  Thus,  as  more  accuracy  is  desired  a  more  granular  database  must  be  created 
and  maintained.  Also,  as  the  database  size  grows,  the  computational  cost  associated  with 
the  database  search  increases. 

2.2.3  Timing  Advance-Based  Positioning 

As  TA-based  positioning  is  at  the  center  of  this  work,  we  now  provide  a  review  of  previous 
TA-based  research.  This  literature  survey  was  previously  presented  in  [28] .  The  TA  has  long 
been  studied  as  a  means  to  positioning  and  can  be  seen  as  specific  cases  of  multilateration  or 

3A  close  relative  of  TDoA  is  frequency  difference-of-arrival  (FDoA)  where  Doppler  shift  is  used  in 
conjunction  with  eNB-target  relative  motion  to  describe  a  hyperbolic  system  of  equations  [32]. 
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even  as  database  correlation.  The  TA  can  provide  a  rough  eNB -target  distance  measurement 
such  that  ToA  techniques  can  be  applied  to  this  specific  type  of  measurement.  Additionally, 
as  will  be  shown  in  a  subsequent  section,  the  TA  has  also  been  used  as  a  radio  signature  in 
fingerprinting  databases  [39]. 

2.2.4  The  Timing  Advance  in  GSM 

The  investigation  of  the  TA  for  positioning  applications  began  before  the  advent  of  LTE  in 
GSM,  a  legacy  protocol.  For  instance,  in  [40],  the  authors  discuss  the  possibility  of  using 
the  GSM  TA  as  a  mechanism  for  positioning.  They  note  poor  accuracy  and  suggest  forcing 
base  station  handovers  in  order  to  get  a  second  TA  to  improve  positioning.  They  conclude 
that  the  accuracy  is  not  sufficient  for  TA  to  be  seriously  considered  by  itself  as  a  method  for 
positioning. 

Accuracy  concerns  are  echoed  in  [5]  where  it  is  estimated  that  the  accuracy  of  the  GSM  TA 
is  theoretically  550  meters  and  practically  2,200  meters.  Nevertheless,  it  is  noted  that  a  cell 
tower,  termed  base  transceiver  station  (BTS)  in  GSM,  location  in  conjunction  with  the  TA 
is  used  in  many  countries  around  the  world  as  a  means  for  subscriber  localization.  This  is 
also  a  “fallback”  GSM  localization  technique  in  the  United  States  if  a  subscriber  cannot  be 
located  with  other,  more  accurate,  means. 

The  authors  in  [25]  suggested  taking  multiple  TA  measurements  from  the  same  tower  and 
averaging  them  in  order  to  improve  distance  estimation.  An  analysis  of  the  method  is 
presented,  but  no  real-world  experimentation  was  conducted.  It  was  noted  that  their  method 
will  only  result  in  a  distance  from  the  BTS,  and  any  further  improvement  in  accuracy  will 
be  the  fruit  of  other  means. 

In  [41],  the  authors  propose  the  use  of  GSM  TA  for  traffic  state  estimation,  not  for  precise 
user  localization.  However,  their  evaluation  oversimplifies  the  TA  behavior  in  simulation. 
Similar  to  the  other  studies  described  thus  far,  no  empirical  data  are  used. 

The  authors  in  [26]  present  the  only  study  we  are  aware  of  that  uses  empirical  TA  data 
observed  from  a  GSM  network;  however,  their  application  was  in  finding  GSM  BTSs  and 
not  user  location.  Their  study  was  still  largely  simulation  based,  and  they  only  presented 
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one  real-world  example.4 


2.2.5  The  Timing  Advance  in  LTE 

The  largely  unsuccessful  first  forays  into  using  the  TA  as  a  parameter  for  localization  are 
probably  to  blame  for  the  limited  amount  of  research  in  GSM  TA-based  positioning.  With 
an  accuracy  as  low  as  550  meters  to  2.2  kilometers  [5],  it  is  not  surprising  that  the  TA  did 
not  receive  much  attention  in  the  literature  initially. 

It  was  not  until  Jarvis  et  al.  [23]  recognized  the  potential  in  the  TA  parameter  in  LTE 
networks  that  researchers  reopened  their  study  of  the  TA  as  a  means  to  positioning.  Although 
again  a  simulation-only  approach,  the  authors  showed  viable  positioning  accuracy  in  three 
dimensions  when  using  a  TA  from  three  and  four  eNBs.  The  authors  did  not  address 
how  using  more  than  one  eNB  would  be  possible  nor  did  they  assume  there  was  any  error 
associated  with  the  eNB  in  issuing  the  correct  TA  to  the  UE.  Similar  investigations  were 
conducted  using  WiMAX  technology  in  [42]. 

In  [38],  Wigren  uses  the  LTE  TA  as  a  complementary  database  feature  when  performing 
localization  via  fingerprinting.  Using  a  heuristic  approach  to  modeling  the  behavior  of  the 
TA,  he  noted  accuracies  on  the  order  of  his  TA  error  and  suggested  his  algorithm  as  an 
appropriate  fallback  technology  for  positioning  for  E-911  in  LTE  if  Assisted  GPS  was  not 
available. 

The  authors  in  [43]  used  LTE  TA  as  a  means  for  proximity  discovery  in  device-to-device 
communications.  They  showed  through  simulation  that  errors  as  low  as  50  meters  were 
possible  for  certain  eNB  geometries.  However,  their  modeling  of  the  TA  was  also  heuristic, 
and  did  not  account  for  any  error  in  the  eNB  issuing  an  incorrect  TA. 

The  work  represented  by  [44]  is  the  only  published  work  we  are  aware  of  that  uses  empirical 
measurements  to  validate  TA-based  positioning  approaches  in  LTE.  Their  approach  did  not, 
however,  focus  on  characterizing  the  TA.  Rather,  similar  to  Wigren’s  approach,  they  used  it 
as  another  feature  in  a  fingerprinting  approach  to  localization  with  the  aim  of  minimizing 
the  cost  of  training  their  fingerprint  database.  They  also  made  no  attempt  to  characterize 
how  the  TA  value  correlated  with  the  true  distance  of  the  UE. 

4This  section  was  revised  from  [28]. 
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In  summary,  the  corpus  representing  the  TA  parameter  in  the  literature  is  conspicuously 
sparse.  Even  more  absent  are  studies  conducted  with  empirical  data,  thus  making  modeling 
in  simulation  largely  a  product  of  conjecture.  5 


2.3  LTE  Positioning  Protocol 

In  this  section,  we  describe  how  the  network  currently  provides  LBS  to  the  UE  in  LTE. 
This  is  done  via  the  LTE  Positioning  Protocol  (LPP)  [39].  LPP  allows  for  several  methods 
of  position  location:  Observed  Time-Difference-of-Arrival  (OTDOA),  Assisted  Global 
Navigation  Satellite  System  (A-GNSS),  and  Enhanced  Cell  ID  (E-CID). 

A-GNSS  is  well  studied  and  provides  very  reasonable  accuracy.  With  the  integration  of  the 
required  hardware  in  many  modern  mobile  devices,  A-GNSS  arises  as  an  adept  solution  to 
the  mobile  location  problem.  Despite  this,  there  still  exists  a  legacy  population  without  the 
required  hardware  that  must  be  serviced.  Additionally,  A-GNSS  usually  comes  at  a  high 
power  cost  which,  given  the  power-constrained  mobile  platform,  is  undesirable.  Finally,  the 
emerging  requirement  for  accurate  positioning  indoors  and  in  metropolitan  canyons  requires 
an  alternative  solution  [45]. 

OTDOA  is  a  positioning  method  where  a  UE  will  measure  the  time  difference  of  arrival  of 
the  LTE  Positioning  Reference  Signal  (PRS)  from  multiple  eNBs.  This  information  is  then 
sent  to  a  network-based  Enhanced  Serving  Mobile  Location  Center  (E-SMLC).  With  three 
or  more  eNBs,  the  resulting  system  of  equations  can  be  solved  to  provide  a  position  estimate. 
However,  like  A-GNSS,  OTDOA  suffers  in  urban  and  indoor  environments  where  NLoS 
and  multipath  channels  dominate.  Release- 1 1  will  complement  OTDOA  with  Uplink  Time- 
Difference-of-Arrival  (UTDOA).  The  main  difference  being  that  UTDOA  is  determined  by 
the  eNBs  after  a  signal  is  sent  from  the  UE  [45]  whereas  the  opposite  is  true  in  OTDOA. 

The  third  method  enlisted  by  LPP  for  UE  positioning  is  enhanced-cell  ID  (E-CID).  This 
method  is  identical  to  the  database  correlation  method.  When  a  UE  initiates  an  LPP  session, 
and  E-CID  is  the  chosen  method  from  which  to  derive  a  position,  the  network  will  negotiate 
with  the  UE  which  radio  signatures  the  UE  will  measure  and  send  to  the  E-SMLC  to  be 
compared  against  its  database.  This  measurement  set  is  reliant  on  the  composition  of  the 

5This  section  was  revised  from  [28]. 
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a  priori  database  and  the  UE  capabilities.  Measurements  specified  in  the  LPP  standard 
include  cell-ID,  reference  signal  received  power  (RSRP),  reference-signal  received  quality 
(RSRQ),  and  TA  [39].  The  best  radio  signature  set  useful  for  positioning  is  currently  an 
open  topic  (e.g.,  [38]);  however,  data  fusion  has  been  suggested  by  the  body  governing  the 
development  of  LTE,  the  Third  Generation  Partnership  Project  (3GPP),  [46]  via 


p  =  arg  min 

p 


£>rsrp  -  £)rsriv 


cr 


^RSRP,/ 


+ 


Dta  ~  £)ta ,i 


cr 


D 


'TA ,i 


(2.11) 


where  £>rsrp  is  the  UE  measured  RSRP,  Drsrp./  is  the  ith  pre-recorded  RSRP  measurement, 
£>ta  is  the  current  UE  TA,  Djaj  is  the  zth  pre-recorded  TA  measurement,  and  <r:D  are 
the  respective  database  variances.  Here  the  variances  have  been  included  as  weights  to 
normalize  the  effect  of  datasets  with  different  statistics. 


Finally,  it  should  be  noted  that  LPP  sessions  are  ciphered  [47]  and,  as  such,  effectively 
protected  data.  This  study  assumes  these  data  to  be  unreadable  and  thus  not  available  for 
exploitation.6 


6This  section  is  revised  from  [24]. 
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CHAPTER  3: 
Solution  Approach 


In  this  work,  we  propose  a  novel  method  to  localize  a  connected  cellular  device  based  on 
the  LTE  signaling  plane  TA  parameter.  While  this  work  specifically  focuses  on  applications 
in  LTE/LTE-A,  the  fundamental  process  is  applicable  to  all  cellular  technologies  which 
manage  mobile  device  timing  alignment  (e.g.,  WiMAX). 

As  was  seen  in  the  literature  survey  in  Chapter  2,  it  is  well-known  that,  in  addition  to 
maintaining  time  alignment,  the  TA  can  be  used  to  estimate  UE  distance  from  serving 
eNBs  [23],  [40].  However,  there  is  not  a  rigorous  analysis  of  the  best  possible  positioning 
accuracy  of  this  method.  We  will  show  through  analysis  how,  with  the  advent  of  tighter 
time  alignment  in  LTE,  the  TA  has  turned  a  statistical  corner  making  positioning  a  UE 
with  an  unprecedented  level  of  consistent  accuracy  possible.  Additionally,  we  propose  a 
method  of  augmenting  TA-based  positioning  to  further  improve  accuracy.  Referring  now 
to  Figure  3.1,  we  outline  the  proposed  scheme  in  three  general  steps.  First,  relevant  data 
are  collected.  Primarily,  this  includes  TA  data  sent  to  the  target  UE  from  which  a  distance 
estimate  is  inferred.  Optionally,  the  TA  data  are  then  augmented  with  the  CeSAR  algorithm. 
The  position  estimate  is  then  made  with  the  resulting  data  set. 

3.1  Data  Collection 

Data  collection  begins  with  initialization  with  the  relevant  parameters  that  are  assumed  to  be 
known  a  priori.  The  parameters  in  question  include  the  serving  eNB  location(s),  the  cellular 
address  of  the  UE  to  be  located,  the  operating  E-UTRA  absolute  radio  frequency  carrier 
number  (EARFCN),  and  each  eNB’s  TA  bias7.  The  mobile  UE  is  uniquely  identified  with 
an  international  mobile  subscriber  identity  (IMSI),  which  the  network  maps  to  a  cellular 
software  address.  This  software  address  must  be  known  in  order  to  ascribe  the  correct 
TA  values  to  the  UE  since  a  multiplicity  of  UEs  may  receive  TAs  from  a  single  eNB.  The 
geometry  of  the  serving  eNB(s)  can  be  ascertained  directly  by  site  survey  or  by  statistically 

7It  should  be  noted  that  in  practical  scenarios  involving  a  sectored  eNB,  the  UE  sector  must  also  be  known 
in  order  to  ensure  the  third  party  can  receive  information  transmitted  from  the  tower  to  the  UE.  In  this  work, 
we  assume  that  eNBs  are  not  sectored. 
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Figure  3.1.  The  proposed  scheme  for  TA-based  positioning 


inferring  eNB  locations  from  data  collected  in  the  field  (i.e.,  war  driving)  [26].  We  assume 
the  former  in  order  to  not  confound  the  major  sources  of  error.  Finally,  in  practice,  we  find 
that  each  eNB  has  its  own  specific  TA  bias  which  must  be  known  a  priori  in  order  to  achieve 
an  unbiased  position  estimate.  This  bias  can  be  measured  directly  during  site  surveys. 

Next,  TA  data  issued  from  the  network  to  the  target  UE  are  collected.  If  more  than  one 
eNB  is  serving  the  UE  (a  type  of  physically  disjoint  carrier  aggregation)  this  collection  is 
repeated  for  each  of  the  N  >  1  eNBs.  As  cellular  technology  evolves  to  embrace  the  idea 
of  heterogeneous  networks  (i.e.,  LTE-A  release  11+),  the  scenario  where  N  >  1  becomes 
more  realistic,  drastically  improving  the  quality  of  a  position  estimate. 

Once  a  TA  from  each  serving  eNB  is  collected,  the  option  to  refine  the  estimate  further  is 
or  is  not  exercised.  In  order  to  simplify  the  analysis,  we  focus  specifically  on  the  case  of 
localization  and  not  tracking.  In  other  words,  prior  information  is  not  used  to  improve  the 
current  position  estimate  (e.g.,  Markov  or  Kalman  filtering).  Rather,  one  TA  collection  is 
used  to  perform  a  static  position  estimate  of  the  target  UE.  The  number  and  geometry  of 
serving  eNBs  will  later  be  shown  to  heavily  influence  the  positioning  accuracy.  More  eNBs 
will  generally  produce  a  more  accurate  estimate.  The  effect  of  the  eNB  geometry  on  the 
position  estimate  is  more  difficult  to  dilute  into  a  rule  of  thumb.  However,  in  general  terms, 
the  more  eNBs  that  are  collinear  or  approximately  collinear  generally  reduces  precision. 
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Figure  3.2.  The  CeSAR  algorithm 


Positioning  can  be  done  from  several  frames  of  reference:  the  network,  mobile,  or  third 
party.  If  the  positioning  is  network-centric  then  the  eNBs  will  communicate  TAs  issued 
back  to  a  central  server  which  will  perform  the  position  estimate  of  the  target  UE.  If  the 
positioning  is  mobile-centric,  then  the  UE  collects  all  issued  TAs  and  performs  the  position 
estimate  locally.  In  both  of  these  cases  it  is  trivial  to  acquire  both  the  local  eNB  geometry, 
UE  address,  and  eNB  bias  since  it  is  reasonably  assumed  that  the  network  both  knows 
these  parameters  and  will  be  cooperative.  Alternatively,  if  the  positioning  is  done  by  third 
party,  the  TAs  will  be  observed  over  the  air8  and  the  sensor  can  report  its  measurement  in 
any  number  of  ways  to  the  third  party.  Because  scheme  initialization  is  non-trivial  from  a 
third-party  viewpoint  and  thus  the  most  arduous  frame  of  reference  to  take,  we  hereafter 
assume  this  perspective. 

3.2  Cellular  Synchronization  Assisted  Refinement 

If  the  option  to  refine  the  estimate  is  exercised,  then  the  CeSAR  algorithm  [24],  presented  in 
Figure  3 .2,  is  used.  Notably,  the  algorithm  requires  input  from  an  extra-network  sensor.  This 
sensor  can  be  implemented  with  a  relatively  cheap  software  defined  radio  (SDR)  solution 
and  is  detailed  further  in  a  later  chapter.  Ultimately,  the  algorithm  adds  an  extra  dimension 
to  the  existing  TA-only  system  of  equations  and  therefore  has  less  error  than  the  distance 
estimate  provided  by  the  TA(s)  alone.  This  augmented  system  of  equations  is  then  later 
used  to  estimate  the  target  UE  position. 

CeSAR  begins  by  orienting  the  sensor  to  the  network  by  observing  cellular  network  beacon 
signals.  These  signals  communicate  network  organizational  information  which  includes 
frame  boundary  locations  in  time.  This  synchronization  enables  the  sensor  to  perform 
further  demodulation  and  observation  of  network  traffic.  After  the  sensor  is  oriented,  it 
observes  a  TA  issued  to  the  target  UE  from  a  serving  eNB.  From  this  information,  the  sensor 
determines  both  when  the  UE  is  instructed  to  transmit  its  next  uplink  burst  and  the  target 

8The  TA  will  later  be  shown  to  be  sent  unencrypted,  making  this  type  of  observation  possible. 


21 


UE’s  approximate  distance  from  the  eNB.  Finally,  the  sensor  estimates  its  distance  to  the 
target  UE  d'  by  calculating  the  time  of  flight  of  a  UE  uplink  burst  to  the  sensor. 

This  technique  of  augmentation  has  several  advantages,  foremost  of  which  is  that  the 
augmentation  is  performed  entirely  passively.  Because  the  sensor  is  not  required  to  transmit 
during  any  portion  of  the  augmentation  it  simultaneously  makes  the  process  impossible  to 
detect  from  electromagnetic  emanation  and  does  not  offer  any  further  traffic  load  to  the 
network.  Furthermore,  all  information  utilized  in  the  refinement  process  is  sent  in  plaintext, 
thus  it  does  not  require  the  sensor  to  bypass  encryption.  Additionally,  strategic  positioning 
of  the  sensor  can  overcome  geometric  dilution  of  precision  (GDoP).  Because  control  of 
the  network  geometry  is  usually  not  possible,  this  point  is  significant  and  is  demonstrated 
further  in  the  work. 

For  the  aforementioned  reasons,  we  submit  that  the  proposed  method  of  augmentation 
is  preferable  from  a  network  operator  perspective  and  simultaneously  attractive  from  a 
vulnerability  analyst’s  perspective.  Because  the  additional  required  infrastructure  (i.e., 
sensor)  is  inexpensive  and,  in  contrast  to  LPP,  it  does  not  offer  further  network  load  it 
is  an  attractive  solution  to  network  providers  seeking  to  maximize  network  performance 
while  minimizing  operational  costs.  Alternatively,  it  is  also  a  significant  finding  from  a 
vulnerability  analyst’s  perspective,  because  it  is  a  passive  technique  that  can  be  utilized 
relatively  covertly. 

3.3  Position  Estimation 

Once  the  data  are  collected  (regardless  of  whether  they  are  augmented  with  CeSAR)  the  po¬ 
sition  estimate  can  be  made  as  in  Figure  3.3.  A  benefit  of  the  proposed  scheme  is  that  there 
is  no  requirement  on  the  resulting  system  of  equations  (e.g.,  consistency,  overdetermined, 
underdetermined,  etc.).  Specifically,  the  estimate  is  calculated  through  a  nonlinear  pro¬ 
gramming  approach  parameterized  by  the  latent  distributions  of  error  which  seeks  the  most 
likely  position  of  the  UE.  The  type  of  position  estimate  is  termed  the  maximum-likelihood 
estimate  (MFE). 

When  developing  a  MFE  a  critical  first  step  is  understanding  the  underlying  error  distribu¬ 
tions  associated  with  the  measurements.  This  is  perhaps  the  most  crucial  step,  since  the 
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Figure  3.3.  The  method  of  position  estimation 


final  position  estimate  is  only  the  most  likely  position  location  if  the  error  distribution  is 
well  understood.  We  will  later  cast  the  TA  error  as  a  quantized  RV  and  show  that  the  error 
can  be  modeled  as  normally  distributed.  Thus,  the  MLE  of  the  true  distance  from  a  distance 
estimate  that  is  normally  corrupted  dj  for  a  single  measurement  is  the  measurement  result 
itself.  This  straightforward  result  hinges  on  the  assumption  made  about  the  underlying  error 
itself.  However,  the  underlying  phenomenon  associated  with  a  TA  is  complex,  therefore,  a 
significant  amount  of  work  is  dedicated  to  substantiating  the  claim  for  latent  normality. 

After  di  V/  is  established,  if  measurements  are  CeSAR-augmented,  the  vector  of  all  dj  is 
concatenated  with  the  CeSAR  measurement  d'.  Explicitly,  the  resulting  vector  of  measure¬ 
ments  used  to  perform  the  position  estimate  is  either  d  =  \d\, . . . ,  c/,v ] 1  if  augmentation  is 
omitted  or  d  -  [d\, . . . ,  d/y,  d']T  if  augmentation  is  implemented.  Those  N  or  N  +  1  mea¬ 
surements  are  then  used  to  construct  an  error  surface  defined  by  the  conditional  probability 
density  function  p(d|d). 

Finally,  finding  the  most  likely  position  requires  finding  the  argument  p  =  [x,  y]T  which 
maximizes  the  error  surface  p(rf|d)  via  the  program 

p  =  argmaxp(d|d).  (3.1) 

p 

For  some  distributions,  finding  the  exact  MLE  requires  an  exhaustive  search  over  all  p  [10]. 
Because  of  the  non-trivial  computational  burden  levied  by  such  a  brute  force  approach, 
significant  effort  has  been  made  in  the  research  to  find  approximate  solutions  to  this  max¬ 
imization  program  (e.g.,  [31]).  Because  this  problem  is  well-traveled  in  the  literature,  it  is 
not  a  focus  of  this  work.  Instead,  we  use  computationally  intensive  means  to  arrive  at  p 
in  order  to  avoid  idiosyncrasies  associated  with  some  of  the  more  nuanced  solutions  in  the 
literature. 
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3.4  Performance  Metrics 

The  Cramer-Rao  Lower  Bound  (CRLB)  is  a  well-accepted  lower  bound  on  the  performance 
of  an  unbiased  estimator  [10],  [48].  However,  like  the  MLE,  the  CRLB  is  highly  dependent 
on  understanding  the  distribution  of  the  underlying  error.  Additionally,  the  CRLB  can  be 
difficult  to  calculate  in  closed  form  for  certain  non-standard  error  distributions  [21].  Despite 
the  fact  that  the  error  associated  with  a  TA  is  a  discrete  RV9  and  thus  strictly  non-injective  in 
terms  of  the  observed  rounded  RV,  we  will  show  that  the  CRLB  can  be  derived  through  an 
understanding  of  the  RV  through  the  lens  of  quantization.  The  values  realized  by  evaluation 
through  the  CRLB  are  also  somewhat  abstract  as  they  are  given  in  mean-squared  error 
(MSE)  or  root  mean-squared  error  (RMSE).  In  both  cases,  the  errors  are  squared  before  the 
mean  is  taken  (in  the  case  of  RMSE  the  root  of  the  mean  is  then  taken)  via 


N 

MSE  =  )T||po-p,||2 

i= 1 


RMSE  = 


N 


2  IlPO  -  Pill2 


(3.2) 


for  N  trials  and  ||  •  ||  is  the  Euclidean  norm.  Of  these  two  abstract  metrics,  RMSE  provides 
values  that  are  most  easily  understood.  While  the  RMSE  cannot  be  directly  translated  to 
mean  error,  the  values  are  the  most  intuitively  satisfying. 


While  we  rely  primarily  on  the  CRLB  to  show  theoretical  lower  bounds  on  the  performance, 
accuracy  is  also  demonstrated  in  specific  cases  with  the  circular  error  probable  (CEP).  CEP 
is  established  in  context  of  a  certain  percentage.  For  example,  CEP  70%  will  result  in  a 
distance  within  which  the  error  associated  with  p  will  fall  with  probability  0.7.  To  further 
illustrate  the  contribution  of  this  metric  we  present  a  case  study  in  Figure  3.4.  In  this 
figure,  a  UE  is  located  at  po  =  [0, 0]r  and  successive  position  estimates  are  made  which 
are  corrupted  by  independent  and  identically  distributed  normal  measurement  noise  in  both 
the  orthogonal  Cartesian  directions.  In  the  left  pane  of  the  figure,  a  cumulative  density 
function  (CDF)  representing  the  error  associated  with  the  position  estimate  is  shown.  The 
CDF  describes  the  probability  that  a  realization  of  a  RV  X  will  fall  below  a  given  value  x 

9The  TA  can  be  seen  as  a  rounded  distance  measurement;  see  Chapter  4  for  further  treatment  of  the  TA. 
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(a)  (b) 

Figure  3.4.  The  circular  error  probable  at  50%,  70%,  and  90%  shown  with 
a  CDF  and  in  simulation 


via  [49] 


Fx(x)  =  Pr[X  <x]=  f  fx(y)dy 
J  —co 


where  /%(■)  is  the  CDF  and  fx ( ■ )  is  the  PDF  defined  by  [49] 


fx(x)  =  ^-Fx(x). 
ax 


(3.3) 


(3.4) 


The  values  of  x  for  Fx(x)  -  {0.5, 0.7, 0.9}  are  all  shown  on  the  x-axis  in  the  left  pane 
of  Figure  3.4  and  can  be  interpreted  as  the  distance  from  the  true  position  that  a  certain 
percentage  of  the  estimates  p,  will  fall.  For  instance,  in  the  case  of  the  study  presented  in 
Figure  3.4,  70%  of  all  position  estimates  will  fall  within  1.57  units  of  po- 

While  CEP  gives  a  more  intuitive  metric,  it  is  most  useful  in  Monte-Carlo  simulation  with 
more  complex  underlying  errors  and  cannot  usually  be  derived  analytically.  Additionally, 
we  sometimes  present  the  empirical  moments  from  a  simulation  along  with  CEP  in  order 
to  provide  a  more  complete  statistical  picture.  However,  the  empirical  moments  do  not 
necessarily  align  with  the  CEP  metric.  In  other  words,  if  X\  and  AC  are  both  RVs  it  could 
be  that  X\  has  a  lower  CEP  70%,  but  AC  has  a  lower  mean  error. 
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3.5  Summary 

The  proposed  scheme  has  several  distinct  advantages  and  limitations.  In  contrast  to  TA- 
based  resolution  in  legacy  networks,  the  scheme  is  accurate  on  the  order  of  tens  of  meters. 
However,  the  accuracy  is  proportional  to  the  number  of  available  eNBs  N  so,  in  the 
common  legacy  case  where  N  =  1,  accuracy  suffers  somewhat.  Nonetheless,  as  cellular 
infrastructure  evolves,  it  is  expected  that  the  case  where  N  >  1  will  become  increasingly 
common  [3]  lending  itself  to  multiple  eNB  positioning.  With  augmentation,  accuracy  can 
also  be  improved  on  the  order  of  tens  of  meters  and  without  the  need  for  any  emissions 
from  the  augmentation  sensor  (i.e.,  passively).  This  makes  CeSAR  augmentation  a  sensible 
choice  for  heavily  congested  networks  and  applications  requiring  discretion  since  it  does  not 
add  traffic  to  the  existing  network.  An  obvious  limitation  is  that  it  requires  extra  hardware 
to  be  introduced  into  the  network. 

In  the  subsequent  chapters,  we  detail  the  efficacy  of  the  proposed  solution  approach  through 
a  thorough  treatment  of  data  collection,  CeSAR  augmentation,  and  position  estimation. 
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CHAPTER  4: 

Morphology  of  the  LTE  Timing  Advance 


In  this  section,  we  present  a  review  of  the  LTE  standard  with  the  specific  focus  of  the 
structure  and  relationship  of  the  TA  to  the  protocol  at  large.  The  operation  of  the  TA  in 
current  (legacy)  network  deployments  and  future  (heterogeneous)  deployments  is  discussed. 

This  chapter  includes  adaptations  from  work  which  has  been  previously  published  by  the 
author.  Specifically,  sections  4. 1-4.6  are  taken  from  “Cellular  Synchronization  Assisted 
Refinement  (CeSAR):  A  Method  for  Accurate  Geolocation  in  LTE-A  Networks”  by  John 
Roth,  Murali  Tummala,  and  James  Scrofani  published  in  the  proceedings  of  the  49th  Hawaii 
International  Conference  on  System  Sciences  in  January  2016  [24].  Section  4.7  is  revised 
from  “Maximum  Likelihood  Geolocation  in  LTE  Cellular  Networks  Using  the  Timing 
Advance  Parameter”  by  John  Roth,  Murali  Tummala,  John  McEachen,  James  Scrofani,  and 
Robert  DeGabriele  to  be  published  in  the  proceedings  of  the  10th  International  Conference 
on  Signal  Processing  and  Communication  Systems  in  December  2016  [21].  Section  4.8  is 
revised  from  “Location  Privacy  in  LTE:  A  Case  Study  on  Exploiting  the  Cellular  Signaling 
Plane’s  Timing  Advance”  by  John  Roth,  Murali  Tummala,  John  McEachen,  and  James 
Scrofani  to  be  published  in  the  proceedings  of  the  50th  Hawaii  International  Conference  on 
System  Sciences  in  January  2017  [28]. 


4.1  Time  Alignment  Management  in  LTE 

The  TA  is  a  signaling  plane  parameter  with  the  purpose  of  reconciling  UE  mobility  with 
quality  of  service.  LTE  uses  an  orthogonal  frequency-division  multiple  access  (OFDMA) 
scheme  which  requires  that  transmissions  are  highly  disciplined  in  time  and  frequency 
in  order  to  avoid  intersymbol  interference  with  other  UEs  sharing  service  with  the  same 
eNB  [22].  As  UEs  move  throughout  a  serving  cell  their  distance  to  the  serving  eNB 
may  change  thus  changing  the  propagation  delay  between  the  UE  and  the  eNB.  The  eNB 
constantly  estimates  the  UE-eNB  distance  and  issues  TA  updates  in  order  to  ensure  the  UE 
is  continuously  synchronized  in  time  relative  to  the  propagation  delay. 

Ever  since  GSM,  the  TA  quantity  has  been  recognized  as  useful  for  positioning  cellular 
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Figure  4.1.  The  random  access  response  (RAR)  message  found  in  the  media 
access  control  (MAC)  header.  Bit  boundaries  are  denoted  by  the  bar  above 
the  figure.  Adapted  from  [50]. 


devices  [23],  [40].  In  this  section  we  aim  to  develop  context  for  the  TA  inside  LTE  networks. 

The  TA  takes  two  forms  during  normal  cellular  operation.  The  first  is  the  TA  that  is  ne¬ 
gotiated  during  the  initial  network  random  access.  After  the  UE  has  obtained  downlink 
synchronization  via  the  primary  and  secondary  search  signals  (PSS/SSS)  and  the  corre¬ 
sponding  system  information  from  the  master  and  system  information  blocks  (MIB/SIB) 
the  UE  requests  network  access  from  the  eNB  via  a  random  access  preamble.  If  the  request 
is  successful  the  eNB  continues  network  access  negotiation  with  a  random  access  response 
(RAR)  message.  As  seen  in  Figure  4.1,  inside  this  message  is  the  cell  radio  network  tem¬ 
porary  identifier  (C-RNTI)10,  an  uplink  resource  grant,  and  an  11 -bit  TA  quantity  where 
TA  6  {0, 1,  •  •  •  ,  1282}  [50].  This  quantity  directs  the  UE  to  begin  transmission  of  its  uplink 
frame  16  x  Ta  x  Ts  seconds  before  the  beginning  of  the  corresponding  downlink  frame, 
where  Ts  is  the  sampling  frequency  [51],  [52]. 

The  second  form  the  TA  takes  is  during  normal  maintenance  of  the  eNB-UE  connection. 
Unlike  the  TA  during  initial  network  access,  this  TA  only  adjusts  the  UE’s  uplink  timing 
based  on  its  current  timing  and  is  thus  relative.  As  the  mobile  device  moves  throughout  the 
vicinity  of  the  eNB  its  distance  to  the  eNB  will  likely  change.  In  order  to  maintain  the  uplink 

10This  is  a  temporary  user  address  which  will  receive  further  discussion  in  Section  4.3. 
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Figure  4.2.  The  legacy  timing  advance  command  (top)  and  the  release  10+ 
timing  advance  command  (bottom).  Bit  boundaries  are  denoted  by  the  bar 
above  the  figure.  Source:  [50]. 


timing  alignment,  the  eNB  will  periodically  issue  TA  commands  to  the  UE.  These  six-bit 
TA  commands  come  in  the  form  of  a  medium  access  control  (MAC)  control  element  (CE)  as 
seen  in  Figure  4.2  [50].  Because  only  six  bits  are  used  Ta  e  {0, 1,  •  •  •  ,63}.  Each  command 
moves  the  ETE’s  current  uplink  timing  by  16  x  (Ta  -  31)  x  Ts  seconds.  The  possibility  of  a 
negative  value  allows  for  the  uplink  timing  to  be  advanced  or  retarded  depending  on  which 
direction  the  UE  is  moving  relative  to  the  eNB  [51],  [52]. 

Additionally,  as  of  Release  9,  type  1  and  type  2  TAs  are  introduced  [53].  A  type  2  TA  is 
determined  by  the  eNB  via  the  UE  generated  random  access  preamble  and  calculated  as 

T A-I  -  t eN li.Rx  -  t eNB, Tx  (4.1) 

where  ieNB,Rx  is  the  time  instance  where  the  eNB  receives  the  UE  random  access  preamble 
as  determined  by  the  first  path  and  teNB,Tx  is  the  standard  eNB  frame  timing.  A  type  1  TA 
is  calculated  during  the  maintenance  phase  via 

TA\  =  (teNB,Rx  ~  teNB,Tx )  +  ( tlJE,Rx  ~  tjJEJx )  (4.2) 

where  the  first  difference  is  the  time  separation  between  a  received  uplink  frame  and  its 
transmit  timing  and  the  second  difference  is  the  time  separation  of  those  same  frames  only 
this  time  at  the  UE.  The  second  difference  is  always  positive,  while  the  first  may  be  positive 
or  negative.  The  type  1  TA  theoretically  allows  the  eNB  to  determine  the  round  trip  time 
with  arbitrarily  small  error  and  use  this  to  advance  or  retard  the  served  UE’s  uplink  timing. 
It  should  be  noted  that  the  type  1  TA  is  never  sent  over  the  radio  link  and  is  thus  not  available 
for  exploitation  over  the  air  by  a  third  party;  however,  we  later  discuss  how  a  passive  listener 
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Figure  4.3.  The  uncertainty  associated  with  TA  distance  measurements 

can  use  this  principle  to  refine  an  observed  TA  command  via  CeSAR. 

Both  the  initial  and  maintenance  TA  are  sent  in  plaintext.  The  first,  which  is  found  in 
the  RAR,  is  sent  before  a  security  key  is  negotiated  and  thus  must  necessarily  not  be 
encrypted.  The  maintenance  TA  is  sent  as  a  MAC  CE.  Since  the  CEs  are  sent  as  part  of 
the  MAC  header,  which  is  below  the  Packet  Data  Convergence  Protocol  (PDCP)  sublayer, 
it  is  also  not  encrypted.  This  enables  a  third  party  within  range  to  observe  this  traffic  in 
plaintext.  However,  if  the  third  party  does  not  observe  the  initial  TA  it  will  be  more  difficult 
to  effectively  use  the  maintenance  TA  for  ranging  as  each  one  is  relative  to  the  previous 
absolute  TA  maintained  by  the  UE  and  the  network.11 

4.2  Uncertainty  in  the  Timing  Advance 

Largely  because  of  the  discrete  nature  of  the  TA,  a  single  measurement  from  an  eNB  will 
reduce  the  possible  location  of  the  UE  to  an  annulus  of  fixed  width,  r.  This  annulus,  with 
the  eNB  as  its  center,  is  shown  in  Figure  4.3.  This  discrete  error  is  also  exacerbated  by 
error  associated  with  the  eNB  antenna  height,  multipath  propagation,  and  clock  bias  [42]. 
By  analyzing  the  quantization  error  we  can  determine  the  width  of  the  area  of  uncertainty. 

"This  section  was  revised  from  [24]. 
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As  stated  previously,  a  TA  will  change  a  UE’s  uplink  timing  in  increments  of  16  x  Ts.  The 
parameter  Ts  is  the  LTE  basic  unit  of  time  and  is  given  by 


Tx  = 


1 


15  000x2048 


seconds 


(4.3) 


where  15  000  corresponds  to  the  subcarrier  spacing  of  15  kHz  and  2048  corresponds  to 
the  maximum  Fast  Fourier  Transform  (EFT)  size  [23],  [51].  Assuming  speed  of  light 
propagation,  the  range  of  uncertainty  r  can  then  be  calculated  by 


i ,  1  c 

t  —  In  V  —  X  _ 

2  15  000x2048 


=  78.125  meters 


(4.4) 


where  c  is  the  speed  of  light  and  the  extra  factor  of  1  /2  is  included  because  the  eNB  must 
consider  the  downlink  propagation  time  for  the  command  to  reach  the  UE  when  issuing  a 
TA. 


This  line  of  analysis  can  also  be  used  to  determine  the  maximum  eNB-UE  range  supportable 
by  LTE.  Since  the  maximum  initial  TA  value  is  1282,  the  formula  in  (4.4)  can  be  used  to 
determine  a  maximum  supportable  distance  of  approximately  100  km. 12 


4.3  Software  Address  Space  in  LTE 

Because  a  multiplicity  of  users  will  be  simultaneously  connected  to  a  given  eNB  and 
because  each  user  may  be  at  different  distances  from  the  eNB,  each  UE  must  be  able  to 
determine  which  TAs  are  issued  to  which  UEs.  To  this  end,  each  TA  is  associated  with  a 
destination  address  in  the  form  of  a  16-bit  C-RNTI.  The  C-RNTI  is  effectively  a  temporary 
software  address  issued  by  the  network  to  each  UE  analogous  to  an  Internet  Protocol 
address.  The  C-RNTI  is  initially  leased  to  a  UE  during  network  access  negotiation  via 
the  RAR  message.  Maintenance  TAs  are  associated  with  a  specific  C-RNTI  via  downlink 
scheduling  assignments  made  on  the  Physical  Downlink  Control  Channel  (PDCCH)  found 
in  the  L1/L2  control  region  of  each  subframe  [22].  Because  the  L1/L2  control  region  of  each 
subframe  needs  to  be  decoded  by  every  UE,  it  is  sent  in  the  clear.  Therefore,  a  third  party 
could  use  the  information  in  the  PDCCH  to  find  the  resource  on  which  a  transport  block  for 
a  particular  UE  is  located.  The  corresponding  transport  block  could  then  be  searched  for 

12This  section  was  revised  from  [24]. 
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a  TA  CE.  Of  particular  importance  with  respect  to  C-RNTI  attribution  is  that  UE  network 
access  must  be  observed  in  order  to  initially  associate  a  C-RNTI  with  a  particular  UE  IMSI 
as  the  IMSI  is  not  frequently  transmitted  unencrypted.13 


4.4  Timing  Adjustment  Frequency 

The  frequency  of  the  maintenance  TA  is  of  particular  importance  as  we  would  like  to  know 
how  often  this  information  is  transmitted  and  thus  how  available  it  is.  This  frequency  is 
lower  bounded  by  an  LTE  parameter  timeAlignmentTimer  [54].  This  timer  is  reset  each 
time  a  TA  is  received  from  the  eNB.  If  the  timer  expires,  the  radio  connection  is  considered 
out  of  synchronization  and  the  UE  must  renegotiate  with  the  network  to  restore  its  uplink 
time  synchronization.  Because  of  this,  the  TA  frequency  must  ensure  a  TA  is  issued  within 
the  period  of  time  specified  by  the  timeAlignmentTimer.  This  parameter  has  configurable 
finite  durations  {500, 750, 1280, 1920, 2560, 5120, 10240}  which  is  common  for  all  serving 
cells  per  UE.  The  duration  corresponds  to  the  maximum  number  of  subframes  sent  in 
between  TAs.  Because  subframes  are  continuous  in  LTE  and  because  each  subframe  is 
stipulated  as  1  ms  long  by  the  standard,  the  available  durations  can  also  be  interpreted  as 
number  of  milliseconds  [51].  Therefore,  when  configured  for  finite14  duration,  we  can 
expect  a  TA  to  be  sent  no  less  frequently  than  anywhere  from  every  one  half  second  to 
every  ten  seconds.  In  practice,  the  TA  frequency  will  be  more  frequent,  usually  resulting 
in  TAs  issued  several  times  per  second  [22].  During  field  measurements,  we  observed  TA 
issuance  frequencies  at  the  sub-second  level.  This  frequency  of  the  TA  will  be  sufficient  for 
the  purpose  of  nearly-continuous  positioning. 15 


4.5  Heterogeneous  Networks 

Heterogeneous  network  deployments  were  introduced  in  LTE  Release  10  which,  among 
other  improvements,  allowed  for  increasing  the  data  capacity  of  a  network  through  carrier 
aggregation.  Carrier  aggregation  is  a  method  by  which  several  carriers  may  be  configured 
to  support  a  single  UE.  When  carrier  aggregation  is  used,  a  primary  cell  (PCell)  and 
one  or  more  secondaries  (SCell)  may  be  configured  to  support  a  single  UE.  The  Radio 

13This  section  was  revised  from  [24]. 

14The  standard  also  allows  for  a  configurable  infinite  duration  of  timeAlignmentTimer. 

15This  section  was  revised  from  [24]. 


32 


Resource  Control  (RRC)  sublayer  is  responsible  for  selecting  an  PCell  and  then  configuring 
appropriate  SCells  [54].  Release  1 1  further  provides  support  for  PCells  and  SCells  that  are 
not  co-located.  In  order  to  maintain  uplink  synchronization  among  all  serving  cells  it  was 
necessary  to  establish  the  concept  of  the  timing  advance  group  (TAG).  Serving  cells  that 
are  co-located  are  assigned  to  the  same  TAG,  thus  removing  the  need  for  separate  TAs  for 
each  individual  cell.  As  seen  in  Figure  4.2,  TAGs  are  associated  with  TA  updates  in  the 
two-bit  TAG  ID  field.  The  size  of  the  TAG  ID  field  indicates  the  specification  is  designed 
to  eventually  support  up  to  three  additional  SCells  or  four  total  separate  channels. 16 

4.6  Timing  Advance  Positioning  during  Handovers  and 
with  Coordinated  Multipoint 

In  order  to  facilitate  inter-cell  mobility,  UEs  must  monitor  and  evaluate  the  received  signal 
quality  of  neighboring  cells.  The  type  and  frequency  of  measurements  are  configurable  and 
are  dictated  by  the  network.  Measurements  normally  involve  acquisition  of  the  cell  PSS 
and  SSS.  After  this  is  complete,  the  UE  will  have  determined  the  cell-ID  and  the  downlink 
synchronization  giving  it  access  to  the  cell-specific  reference  signal.  This  signal  is  then 
used  to  determine  the  reference  signal  received  power  (RSRP)  and/or  the  reference  signal 
received  quality  (RSRQ).  If  the  RSRP  or  RSRQ  is  larger  than  a  configurable  quantity  then 
that  cell  will  be  selected  for  handover.  Handovers  may  occur  for  various  other  reasons  such 
as  network  load  management  [54]. 

In  the  case  of  a  network  initiated  handover,  the  UE  is  notified  by  the  serving  eNB  via  a 
message  that  is  generated  by  the  target  eNB17.  This  message  may  include  mobility  infor¬ 
mation  such  as  the  target  cell-ID,  physical  layer  parameters,  and  the  new  C-RNTI  to  assist 
the  UE  in  establishing  its  new  connection.  Notably,  the  handover  is  asynchronous,  meaning 
the  UE  will  begin  the  random  access  procedure  with  the  target  eNB  which  will  involve 
the  negotiation  of  a  new  initial  TA  concurrently  while  still  receiving  a  TA  from  the  source 
eNB  [54], 

The  presence  of  two  TAs  from  spatially  disparate  beacons  presents  a  unique  opportunity 
for  gleaning  location  information.  By  processing  this  information  at  the  E-SMLC  with 

16This  section  was  revised  from  [24]. 

17More  specifically,  this  message  is  passed  as  a  RRCConnectionReconfiguration  message  [54]. 
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TDoA  methods,  a  hyperbolic  annular  locus  can  be  described  around  the  source  and  target 
eNBs.  The  advantage  of  this  type  of  scenario  lies  in  no  requirement  for  the  UE  to  be  tightly 
synchronized  with  the  network  effectively  removing  the  error  from  clock  bias.  Alternatively, 
the  ToA  method  may  be  used  which  will  result  in  two  annuli  from  the  two  TAs.  The  two 
annuli  reduce  the  target  locus  to  the  their  area  of  intersection.  Finally,  if  ciphering  is  not 
enabled,  the  target  eNB  will  issue  a  new  C-RNTI  to  the  UE  in  the  clear  allowing  a  passive 
listener  to  map  the  previous  C-RNTI  to  the  new. 

Coordinated  Multipoint  (CoMP),  potentially  part  of  Release  1 1,  is  a  related  technique  that 
aims  to  improve  quality  of  service  at  cell  boundaries  by  coordinating  the  reception  of  a  UE 
signal  at  multiple  eNBs  [55].  Uplink  timing  alignment  becomes  difficult  in  such  a  scenario, 
as  the  UE  cannot  transmit  the  same  signal  at  different  times  to  ensure  each  cell  receives  a 
time-aligned  signal.  Solutions  to  this  problem  generally  involve  synchronizing  the  uplink 
timing  to  the  nearest  serving  cell  [56]  and  then  selecting  other  appropriate  cells  such  that 
the  other  received  signal  arrive  within  the  duration  of  the  cyclic  prefix  [57].  Thus,  while  it  is 
still  an  open  area  of  research,  the  general  consensus  is  for  the  UE  to  be  uplink  synchronized 
to  the  closest  serving  cell  [55],  [57].  Since  CoMP  provides  no  additional  location-based 
information  (i.e.,  the  network  still  only  issues  one  TA)  it  is  not  considered  further  in  this 
study.18 

4.7  The  Empirical  Timing  Advance 

To  shed  light  on  the  behavior  of  the  TA  in  the  wild,  we  examine  real-world  data  observed 
in  Maryland  and  California  and  shown  in  Figure  4.4  and  Figure  4.5.  First  we  examine  the 
data  presented  in  Figure  4.4,  which  represents  collections  where  the  UE  was  traveling  at 
a  constant  rate  in  a  suburban  environment  such  that  the  distribution  of  eNB-UE  distances 
during  measurement  is  approximately  uniform.  From  this  subset  of  data,  we  make  two 
observations. 

First,  in  most  cases  the  variance  offered  by  the  TA  was  relatively  small  compared  to  the 
variances  contributed  by  the  measurement  error.  For  example,  the  average  variance  among 
all  locations  was  cr2  «  3500  m2  while  the  theoretical  variance  offered  by  the  FTE  TA  is 
ct2a  ~  500  m2. 

18This  section  was  revised  from  [24]. 
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Figure  4.4.  Timing  advance  errors  recorded  in  real-world  LTE  network  de¬ 
ployments  in  Maryland  (a)  and  California  (b).  Adapted  from  [21], 


Second,  it  was  previously  hypothesized  [28]  that  the  underlying  error  distribution  could 
be  modeled  as  normal.  By  initial  inspection  of  these  data  with  the  normal  distribution  in 
Figure  4.4,  we  find  no  reason  to  reject  the  hypothesis. 

Next,  we  present  the  results  of  an  experiment  conducted  at  four  different  locations  and 
designed  to  elicit  the  difference  in  NLoS  versus  LoS  channels.  At  each  of  four  locations 
]A,B,C,D],  the  distance  to  a  serving  eNB  was  estimated  using  received  TAs.  The  first-  and 
second-order  statistics  of  the  resulting  error  are  presented  in  Figure  4.5.  Each  location  was 
characterized  as  either  a  dense  urban  (locations  A-C)  or  suburban  environment  (location 
D).  Dense  urban  locations  were  located  in  the  city  center  of  Baltimore,  Maryland,  which  is 
largely  comprised  of  tightly-packed  skyscrapers.  The  suburban  location  was  in  the  outlying 
area  surrounding  Baltimore.  At  each  location  the  distance  was  fixed  (i.e.,  the  UE  was 
stationary)  and  the  TA  was  recorded  for  a  period  of  one  minute  when  the  serving  eNB 
could  be  directly  seen  (LoS).  The  procedure  was  then  repeated  at  a  nearby  location  where 
there  was  a  major  obstruction  in  the  line-of-sight  to  the  same  serving  eNB.  Histograms 
representing  the  raw  error  measurements  are  presented  in  Appendix  A.  These  histograms 
can  be  interpreted  as  probability  mass  functions  since,  with  distance  constant,  the  error  will 
be  in  increments  of  78.125  m  (c.f.  (4.4)). 

Referring  to  Figure  4.5,  we  observe  little  difference  in  standard  deviation  between  LoS 
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Figure  4.5.  Data  are  presented  which  has  been  recorded  at  a  fixed  distance 
from  eNBs  in  dense  urban  and  rural  environments.  Data  were  recorded 
when  there  was  a  LoS  to  the  eNB  and  when  there  was  not  in  the  same 
general  location  at  four  different  locations  {A,B,C,D}.  Locations  A-C  are 
dense  urban  environments  and  location  D  is  a  suburban  environment.  Mean 
error  and  standard  deviation  of  error  are  presented. 


or  NLoS  conditions  or  dense  urban  or  suburban  environments.  The  measurement  error 
variance  can  then  be  considered  independent  of  channel  environment  which  is  consistent 
with  the  channel  model  presented  in  Chapter  2  and  with  previously  reported  results  [10]. 

Second,  the  mean  error  is  highly  dependent  on  channel  conditions  (i.e.,  LoS  versus  NLoS  or 
suburban  versus  dense  urban).  As  expected,  dense  urban  and  NLoS  environments  resulted 
in  a  higher  mean  error.  In  all  cases  the  mean  error  of  NLoS  measurements  was  significantly 
different  from  the  mean  error  of  the  LoS  measurements  at  the  5%  significance  level19.  Our 
experiments  yielded  a //nloS  -  AloS  6  [20  m,  80  m].  The  difference  in  urban  versus  suburban 
channels  was  also  noticeable.  Our  experiments  showed  //urban  -  //suburban  6  [60  m,  220  m]. 

Finally,  we  note  that  a  eNB-specific  TA  bias  is  present  in  each  one  of  the  data  sets  collected. 
In  other  words,  the  mean  of  all  measurements  (for  constant  channel  type)  will  differ. 
Referring  to  the  measurements  presented  in  Figure  4.5  we  see  that  for  LoS  environments 
the  mean  value  has  range  6  [-20  m,  114  m].  Similarly,  for  NLoS  environments  the  mean 

19Statistical  difference  was  established  using  Student’s  t-test  which  requires  the  underlying  data  to  be 
normally  distributed.  Despite  the  data  being  discrete,  this  assumption  is  further  validated  through  analysis  in 
Chapter  6. 
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value  has  range  6  [3 1  m,  1 97  m] .  While  it  was  for  these  observations  that  p nloS  ~  d Los  >  0, 
the  underlying  bias  is  more  difficult  to  predict.  This  is  a  value  that  must  be  measured  and 
understood  a  priori  in  order  to  use  the  TA  to  provide  an  unbiased  position  estimate.  As 
mentioned  in  Chapter  3,  this  quantity  is  assumed  as  a  given  input  to  the  overall  scheme.20 

4.8  The  Timing  Advance  as  a  Location  Privacy  Preserving 
Mechanism 

A  location  privacy  preserving  mechanism  (LPPM)  is  a  paradigm  for  protecting  user  location 
privacy  and  has  two  components:  obfuscation  and  anonymization  [58].  More  specifically, 
a  LPPM  is  a  formal  mechanism  for  modeling  the  amount  of  privacy  a  scheme  affords.  We 
thus  find  it  a  useful  construct  in  evaluation  of  the  TA  since  a  third  party  may  not  have 
network  assistance  in  obtaining  the  desired  parameters  for  positioning. 

The  act  of  obfuscating  a  location  will  add  noise  to  the  actual  location  d  =  /i(p)  thus  a 
third  party  using  obfuscated  only  data  (uj,  d)  will  have  access  to  user  identities,  but  the 
associated  location  data  will  be  imperfect.  The  act  of  anonymizing  data  will  replace  the 
user  identity  with  a  pseudonym  u  =  Jo  («/ )  thus  a  third  party  using  anonymized  only  data 
will  have  access  to  exact  locations  but  not  identities.  A  obfuscated  and  anonymized  data 
set  (u,  d)  will  provide  a  third  party  access  to  neither  piece  of  information  directly. 

Formally,  the  TA  can  be  modeled  as  a  LPPM.  The  noise  added  to  the  data  can  be  modeled 
with  the  function 

di  =  mod(||  p/  -p0  ||,  t)  (4.5) 

assuming  an  ideal  TA  model.  In  other  words,  the  TA  obfuscates  the  actual  UE  position 
through  a  process  of  spatial  quantization.  Next,  the  network  anonymizes  the  UE  through 
assignment  of  a  C-RNTI  [22].  As  previously  discussed,  the  C-RNTI  can  be  thought  of  as  a 
software  address  and  is  assigned  dynamically.  Therefore,  the  C-RNTI  mapping  fc-RNTi(') 
can  be  thought  of  as  LPPM  anonymization. 

This  LPPM  is  weak  for  several  reasons.  As  will  later  be  demonstrated,  the  quality  of  the 
location  obfuscation  declines  rapidly  when  multiple  eNBs  are  configured.  The  quality  of 
anonymity  provided  by  fc-RNTi(-)  is  also  in  question  [59],  [60].  We  therefore  assume 

20This  section  was  revised  from  [21], 
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C-RNTI  attribution  in  this  work  and  focus  specifically  on  de-obfuscation  of  the  UE  location 
Po-21 


21This  section  was  revised  from  [28], 
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CHAPTER  5: 

Cellular  Synchronization  Assisted  Refinement 


This  chapter  specifies  the  details  of  the  Cellular  Synchronization  Assisted  Refinement 
(CeSAR)  algorithm  for  improving  TA-based  positioning.  Besides  details  of  the  algorithm, 
implementation  of  the  required  sensor  is  also  included.  CeSAR  was  first  introduced  in  [24] 
and  is  also  studied  in  [21],  [28],  [29],  [61]. 

This  chapter  includes  adaptations  from  work  submitted  for  publication  or  previously  pub¬ 
lished  by  the  author.  Specifically,  section  5.1  is  revised  from  “On  Location  Privacy  in 
LTE”  by  John  Roth,  Murali  Tummala,  John  McEachen,  and  James  Scrofani  which  has  been 
submitted  for  publication  [29].  Section  5.3  is  revised  from  “Location  Privacy  in  LTE:  A 
Case  Study  on  Exploiting  the  Cellular  Signaling  Plane’s  Timing  Advance”  by  John  Roth, 
Murali  Tummala,  John  McEachen,  and  James  Scrofani  to  be  published  in  the  proceedings 
of  the  50th  Hawaii  International  Conference  on  System  Sciences  in  January  2017  [28]. 

5.1  The  Cellular  Synchronization  Assisted  Refinement  Al¬ 
gorithm 

CeSAR,  depicted  in  Figure  5.1,  involves  a  third  party  using  its  knowledge  of  a  UE’s  transmit 
timing  to  refine  an  area  within  the  initial  TA  annulus  where  that  UE  may  be  located. 


Figure  5.1.  A  single  eNB  implementation  of  the  CeSAR  algorithm 
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Algorithm  1  The  Cellular  Synchronization  Assisted  Refinement  Algorithm.  Source:  [29]. 

1:  procedure  CeSARIp^b,  pSensor, target  C-RNTI) 

2:  function  PSS/SSS  Sync() 

3:  sensor <—eNB  downlink  frame  timing 

4:  end  function 

5:  repeat 

6:  x  observed  C-RNTI 

7:  until 

8:  x  ==  target  C-RNTI 

9:  dj  <—  TAx78.125  m 

10:  t  est_Tx_Time(TA) 

11:  t'  <—  observed  uplink  burst  time 

12:  A t  <-  t'  -t 

13:  d'  =  At  ■  c 

A  A  A  A  rri 

14:  d  <—  [d i, . . .  ,dff,  d'] 

15:  p  =  argminp(d|d) 

16:  end  procedure 


Generally,  the  procedure  takes  advantage  of  the  fact  that  the  TA  contains  two  pieces  of 
information:  the  distance  of  the  UE  to  the  serving  eNB  and  the  UE’s  uplink  transmit  time. 
By  exploiting  both  of  these  pieces  of  information,  instead  of  just  the  eNB-UE  distance, 
a  refined  position  estimate  can  be  made.  If  a  local  sensor  knows  the  UE’s  transmit  time 
t  and  can  record  the  time  t'  when  the  sensor  observes  the  transmission  then  the  distance 
from  the  sensor  to  the  UE  can  be  determined  by  way  of  UE-sensor  propagation  delay.  In 
this  way,  CeSAR  applies  the  principle  behind  the  type  1  TA  at  the  sensor  location.  As 
previously  stated,  this  effectively  adds  another  dimension  to  the  system  of  equations.  A 
necessary  requirement  to  reap  this  benefit  is  a  sensor  in  the  serving  cell/sector  of  the  target 
UE.  In  addition  to  the  overall  system  initialization  requirements  (cf.  Chapter  3),  the  CeSAR 
procedure  further  requires  that  the  position  of  the  sensor  be  known  a  priori. 

Besides  improving  position  accuracy,  CeSAR  has  several  strengths  [29]: 

1 .  It  can  be  performed  completely  passively.  Therefore,  during  third  party  use  the  sensor 
cannot  be  detected  from  electromagnetic  emanations  [24]. 

2.  Strategic  positioning  of  the  sensor  can  overcome  GDoP  [10]  caused  by  eNBs  arranged 
disadvantageously.  This  is  a  strength  that  will  be  shown  in  Chapter  8  to  improve 
accuracy  significantly  [29]. 
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3.  The  sensor  need  not  be  complex.  The  advent  of  SDR  has  put  this  method  within 
reach  of  reasonably  skilled  actors.  Furthermore,  SDR  technology  has  significantly 
lowered  the  monetary  cost  of  entry  to  this  type  of  exploitation. 

4.  All  of  the  timing  information  is  sent  below  the  PDCP  sublayer,  and  thus,  in  the 
clear  [28].  Therefore,  there  is  no  need  to  bypass  encryption. 

Referring  now  to  Algorithm  1  and  Figure  5.1,  we  give  a  detailed  account  of  the  procedure. 
First,  the  sensor  listens  for  the  PSS/SSS  from  a  serving  eNB  (steps  2-4).  This  is  necessary 
for  synchronizing  itself  to  the  base  station  thus  giving  it  the  ability  to  decode  cell  data.  Next, 
the  sensor  decodes  packets  that  it  receives  until  it  finds  the  target  C-RNTI  (steps  5-8).  Once 
a  downlink  frame  being  sent  to  the  target  UE  has  been  identified  (step  8),  the  associated  TA 
is  observed  in  the  MAC  CE  and  converted  to  the  EiE-eNB  distance  dj  (step  9).  If  there  are 
N  serving  eNBs,  this  process  can  be  repeated  N  -  1  times.  Simultaneously,  the  TA  is  used 
to  estimate  the  target  UE’s  uplink  transmission  time  t  (step  10).  With  this  information,  the 
sensor  can  measure  the  propagation  delay  At  from  the  UE  to  the  sensor  and  convert  that  to 
a  UE-sensor  distance  measurement  d'  (steps  1 1-13).  This  additional  distance  measurement 
is  added  to  the  distance  measurements  [d\, . . . ,  c/,v  ]  obtained  from  the  N  serving  eNBs  to 
form  the  system  of  equations  represented  by  d. 

Note  that  steps  10-13  are  designed  to  extract  uplink  burst  timing  information  from  just  one 
of  the  N  serving  eNBs.  While  it  is  possible  to  extend  CeSAR  to  repeat  these  steps  across  all 
N  eNBs,  this  will  not  result  in  any  further  information.  To  see  this  consider  that  the  extra 
information  gleaned  describes  a  circular  locus  around  the  sensor,  therefore,  additional  uplink 
burst  timing  information  will  only  re-describe  the  same  circular  locus.  Thus,  attempting  to 
add  dimensionality  to  d  in  this  manner  will  result  in  dependent  equations  whose  loci  will 
have  an  infinitude  of  intersections. 

In  addition  to  being  nonlinear,  the  resulting  system  of  equations  is  inconsistent  with  high 
probability  due  to  measurement  error  induced  by  the  channel  (cf.  Chapter  2)  and  spatial 
quantization  associated  with  the  TA,  thus,  solving  this  system  is  non-trivial  and  the  impetus 
for  much  of  the  analysis  in  Chapter  6.  Presently,  it  is  sufficient  to  treat  the  nature  of  the 
measurement  error  as  following  some  unspecified  probability  density  p(d\d). 

In  order  to  estimate  the  target  UE  position,  p ,  we  frame  the  problem  in  the  maximum- 
likelihood  sense.  In  other  words,  for  a  set  of  observed  distance  measurements,  d.  the  most 
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Figure  5.2.  The  hardware  sensor  configuration  used  in  this  work 


likely  position  estimate  is  one  that  satisfies 

p  =  argminp(rf|d).  (5.1) 

p 

If  all  measurements  follow  the  same  error  distribution  then  we  can  parameterize  the  program 
represented  in  (5.1)  with  the  distribution  p(-).  The  claim  that  p  is  the  most  likely  location  of 
the  target  UE  is  heavily  dependent  on  the  knowledge  of  the  associated  error  distributions, 
thus,  characterizing  this  distribution  will  be  the  subject  of  analysis  in  Chapter  6. 22 

5.2  Sensor  Implementation 

As  previously  discussed,  the  sensor  need  not  be  sophisticated.  In  fact,  modern  SDR  solutions 
provide  a  vehicle  by  which  the  sensor  can  be  implemented.  At  the  time  of  this  writing,  the 
necessary  RF  components  for  such  a  SDR  solution  could  be  assembled  off  the  shelf  for  less 
than  $3000.  The  particular  solution  implemented  by  this  work  is  shown  in  Figure  5.2. 

The  RF  front  end  is  a  universal  software  radio  peripheral  (USRP)  N210  manufactured  by 
Ettus  Research.  The  processing  speed  is  high  enough  in  this  peripheral  such  that  the  maxi¬ 
mum  sample  rate  is  limited  by  the  Gigabit  Ethernet  connection  to  the  host  machine  which 
is  nominally  20-25  MSps.  The  RF  daughterboard  utilized  is  the  WBX  board  also  man¬ 
ufactured  by  Ettus  Research.  This  daughterboard  is  capable  of  modulating/demodulating 
baseband  signals  frequencies  in  the  range  of  50-2200  MHz  which  sufficiently  covers  the 
cellular  spectrum. 

22This  section  was  revised  from  [29]. 
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Figure  5.3.  An  overview  of  the  salient  logical  signaling  channel  organization 
in  GSM  . . 


5.3  Observability  of  Uplink  Frames 

Here  we  highlight  step  1 1  of  the  CeSAR  algorithm  which  requires  that  a  sensor  is  able 
to  observe  an  uplink  burst  from  a  specific  UE.  Because  LTE  uses  an  OFDMA  access 
scheme  [22],  the  sensor  would  need  to  know  what  resource  element(s)  were  assigned  by  the 
network  to  that  ETE.  Learning  this  information  without  direct  access  to  an  eNB  is  non-trivial, 
however,  possible.  This  possibility,  which  is  the  focus  of  this  section,  marks  a  significant 
shift  in  the  confidentiality  architecture  of  LTE.  In  this  section,  we  contrast  the  signaling 
plane  confidentiality  of  LTE  with  that  of  GSM  to  first  highlight  this  shift.  Additionally, 
the  contrast  demonstrates  that,  while  it  is  not  possible  to  decode  the  ETE  uplink  burst,  it  is 
possible  to  know  in  what  time-frequency  resource  it  will  be  sent. 

We  begin  by  first  presenting  the  salient  aspects  of  the  GSM  signaling  plane.  GSM  defines 
a  series  of  logical  channels  used  in  both  the  downlink  and  uplink.  They  are  broken  into 
two  categories  of  traffic  and  signaling  planes,  the  latter  of  which  is  shown  in  Figure  5.3. 
In  the  signaling  plane  are  three  groups  of  channels:  the  broadcast  (BCH),  common  control 
(CCCH),  and  dedicated  control  channel  groupings  (DCCH). 

Of  specific  interest  are  the  CCCH  and  DCCH  groupings.  Among  other  things,  the  CCCH 
is  responsible  for  the  random  access  procedure  via  the  random  access  channel  (RACH)  and 
the  access  grant  channel  (AGCH)  [62],  [63].  Of  note,  no  channels  in  the  CCCH  group  are 
encrypted  as  they  contain  information  relevant  to  multiple  users  [64]. 

Consider  a  ETE  with  information  to  transmit  to  the  network  and  without  a  current  valid 
scheduling  grant.  The  ETE  first  needs  to  request  assignment  of  a  Standalone  Dedicated 
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Figure  5.4.  The  radio  resource  allocation  procedure  for  a  GSM  connected 
UE  with  network  traffic 


Control  Channel  (SDCCH)  via  the  RACH  [63].  The  base  station  controller  (BSC)  will 
respond  with  an  IMMEDIATE  ASSIGNMENT  message  via  the  AGCH  assigning  a  specific 
SDCCH  to  the  requesting  UE.  Once  the  SDCCH  is  assigned  encryption  will  begin.  Finally, 
an  encrypted  ASSIGNMENT  COMMAND  gives  the  parameters  of  the  traffic  channel  (TCH)  to 
the  UE  [62].  Because  this  last  step  is  performed  after  encryption  begins,  the  confidentiality 
of  the  uplink  channel  signaling  is  effectively  preserved  in  GSM.  This  process23  is  presented 
graphically  in  Figure  5.4. 

Of  particular  interest  is  that  encryption  in  the  GSM  air  interface  is  performed  at  a  very  low 
level  immediately  preceding  modulation  (in  logical  channels  that  support  encryption)  [62] . 
This  strengthens  the  confidentiality  of  signaling  traffic. 

Similar  to  GSM,  LTE  also  specifies  a  series  of  logical  channels  albeit  organized  differently 
than  in  GSM.  LTE  has  a  more  flat  channel  architecture  so  a  hierarchy  is  not  presented.  Rather 
only  specific  channels  are  selected  for  discussion.  They  are  broken  into  the  downlink  and 
uplink  subgroups  of  which  the  former  is  of  particular  interest.  In  this  group  there  exists  a 
DCCH  similar  to  that  of  GSM,  however,  different  from  GSM  the  LTE  DCCH  is  a  bearer 
of  mainly  the  Radio  Resource  Control  (RRC)  layer  information.  Also  different  from  GSM, 
LTE  specifies  certain  physical  channels  onto  which  no  logical  channel  will  map.  Of  interest 
to  this  work  is  the  Physical  Downlink  Control  Channel  (PDCCH)  and  the  Physical  Uplink 

23Only  an  overview  of  the  major  steps  in  the  process  are  presented  for  clarity.  Furthermore,  the  base 
transceiver  station  (BTS)  and  base  station  controller  (BSC)  are  grouped  into  one  entity,  the  base  station 
subsystem  (BSS). 
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Figure  5.5.  The  radio  resource  allocation  procedure  for  an  LTE  connected 
UE  with  network  traffic  is  presented.  Only  an  overview  of  the  major  steps 
in  the  process  is  presented  for  clarity. 

Control  Channel  (PUCCH). 

In  LTE,  scheduling  is  the  responsibility  of  the  MAC  layer  and  is  done  dynamically  on  a 
frame-by-frame  (i.e.,  1  ms)  basis  [22] 24 .  Therefore,  unlike  GSM,  LTE  does  not  assign 
dedicated  control  channels  (i.e.,  the  GSM  SDCCH).  Instead,  the  information  pertaining  to 
uplink  scheduling  is  found  in  the  PDCCH  broadcast  in  the  L1/L2  control  region  of  each 
downlink  frame  [22] . 

Consider  a  UE  with  information  to  transmit  to  the  network  and  without  a  current  valid 
scheduling  grant.  The  UE  will  first  utilize  the  uplink  L1/L2  control  region  to  indicate  to 
the  eNB  that  it  requires  uplink  resources.  As  previously  discussed,  the  eNB’s  scheduling 
decisions  are  issued  via  the  PDCCH  in  the  L1/L2  control  region.  Each  scheduling  grant 
is  appended  with  a  cyclic  redundancy  check  (CRC)  which  is  calculated  with  the  intended 
recipient’s  radio  network  temporary  identifier  (RNTI).  Therefore  all  grants  sent  via  the 
PDCCH  are  checked  by  each  UE  with  their  allocated  RNTIs.  Grants  that  do  not  check  are 
discarded  as  either  not  intended  for  the  UE  or  invalid  [22].  The  PDCCH  is  continuously 
monitored  by  each  connected  UE  to  update  its  uplink  grant  allocation  as  it  is  changed 
dynamically.  This  process  is  presented  graphically  in  Figure  5.5. 

Next,  a  large  functional  change  in  LTE,  relative  to  GSM,  is  highlighted:  the  responsibility 
for  encryption  is  held  exclusively  in  the  PDCP  sublayer.  Therefore,  nothing  in  the  lower 
layers  (i.e.,  the  Radio  Link  Control  (RLC)  and  MAC  layers)  is  ciphered  [47].  A  consequence 
of  this  architectural  shift  is  that  a  significant  amount  of  signaling  is  sent  in  the  clear.  The 

24It  should  be  noted  that  the  network  can  also  optionally  choose  to  implement  semi-persistent,  vice  dynamic, 
scheduling. 
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requirement  for  transparent  signaling  is  also  built  into  the  uplink  scheduling  scheme  (cf. 
Figure  5.5)  which  would  not  work  if  ciphering  was  implemented  at  the  same  low  level  it  is 
in  GSM.  Therefore,  with  this  signaling  plane  confidentiality,  the  target  RNTI  is  only  needed 
to  decode  that  UE’s  unencrypted  uplink  resource  grants.25 


25This  section  was  revised  from  [28]. 
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CHAPTER  6: 

Theory  of  Random  Variable  Quantization 


In  this  chapter,  following  [65],  we  provide  an  account  of  the  theory  of  quantization  of 
a  RV  in  general  terms.  To  provide  an  impetus  for  the  subsequent  discussion,  we  first 
introduce  fundamental  and  relevant  concepts  such  as  the  CRLB  and  GDoR  We  then  derive 
the  conditions  necessary  to  satisfy  a  lower  bound  on  positioning.  This  chapter  provides 
the  theoretical  foundation  and  justification  for  a  method  of  maximum-likelihood  estimation 
developed  in  the  subsequent  chapter  and  follows  directly  from  work  previously  published 
by  the  authors  [21],  [29].  Specifically,  Sections  6.1  and  6.2  are  revised  from  “Maximum 
Likelihood  Geolocation  in  LTE  Cellular  Networks  Using  the  Timing  Advance  Parameter” 
by  John  Roth,  Murali  Tummala,  John  McEachen,  James  Scrofani,  and  Robert  DeGabriele  to 
be  published  in  the  proceedings  of  the  10th  International  Conference  on  Signal  Processing 
and  Communication  Systems  in  December  2016  [21].  Sections  6.4-  6.9  are  revised  from 
“On  Location  Privacy  in  LTE”  by  John  Roth,  Murali  Tummala,  John  McEachen,  and  James 
Scrofani  which  is  submitted  for  publication  [29] . 


6.1  The  Cramer-Rao  Lower  Bound  in  Time  of  Arrival  Po¬ 
sitioning 

The  CRLB  is  a  well-known  lower  bound  on  the  mean  square  error  (MSE)  or  root  mean 
square  error  (RMSE)  of  an  unbiased  estimator  [7],  [10],  [48].  In  this  work,  we  use  the 
RMSE  in  order  to  provide  results  that  are  easier  to  understand  in  terms  of  positioning 
accuracy.  Given  the  unbiased  estimate  p,  the  CRLB  is  formally  expressed  as 

a/e{(Po  -  P)2}  >  CRLB.  (6.1) 


In  matrix  form,  CRLB  =  TiTVR1 )  where  Tr(-)  is  the  trace  function  and  I  is  the  Lisher 
information  matrix  (LIM)  developed  for  the  To  A  application  as  [10] 


!{/,•}  = 


-E 
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Figure  6.1.  The  layout  of  an  actual  cellular  network  deployment  located  in 
Annapolis,  Maryland.  Source:  [21], 


where  the  subscript(s)  in  brackets  represent  the  matrix  or  vector  index.  The  proof  of 
this  relationship  for  a  general  unbiased  estimator  is  provided  in  Appendix  B.  When  the 
probability  distribution  function  (PDF)  is  normal  and  cr,-  =  cr,  Vz,  it  can  be  shown  that  [31] 


yZV  (-V-J Cj)2  Y  N  ( -V-.V,- )(!/-//,  ) 

A=1  d 2  A=1  d2 

yZV  {x-Xj)(y-i)i)  y  N  Uj-iji)- 

A= 1  d2  A= 1  rf2 

t  I 


(6.3) 


A  proof  of  the  relationship  presented  in  (6.3)  is  given  in  Appendix  C.  In  general,  the 
expectation  in  (6.2),  taken  with  respect  to  p,  may  not  have  a  closed-form  solution.  In  this 
case,  it  is  necessary  to  resort  to  numerical  integration  techniques. 


When  NLoS  conditions  are  present,  it  has  been  shown  that  the  CRLB  can  be  attained  when 
the  eNB(s)  with  NLoS  channel  conditions  are  discarded  and  only  those  remaining  with  LoS 
conditions  are  used  for  positioning  [66].  This  requires  the  ability  to  identify  and  discard 
those  measurements  [31]. 


In  order  to  show  typical  values  of  the  CRLB,  an  actual  network  deployment  in  Annapolis, 
Maryland,  shown  in  Figure  6.1,  was  evaluated26.  The  fourth  and  fifth  nodes  are  added 

26Latitude  and  longitude  have  been  converted  to  the  Cartesian  coordinate  system  where  the  axes  units  are 
given  in  meters. 
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(a)  (b) 


Figure  6.2.  The  curves  in  the  left  pane  show  the  CRLB  as  parameterized 
by  the  noise  level  cr  and  the  number  of  eNBs  N .  The  GDoP  is  also  shown 
in  the  right  pane  to  demonstrate  the  favorability  of  the  eNB  geometry  as 
nodes  4  and  5  are  added.  Source:  [21], 

successively  to  show  how  positioning  changes  as  more  nodes  become  available.  The 
theoretical  lower  bound  on  the  accuracy  of  an  unbiased  estimator  for  this  geometry  is  then 
shown  in  Figure  6.2  along  with  the  corresponding  trends  in  GDoP.  In  the  left  pane,  the 
abscissa  represents  the  error  in  distance  estimation  given  cr,  =  cr,  Vi.  The  values  are  chosen 
as  they  are  common  error  variances  in  ToA  positioning  [31].  The  ordinate  represents  the 
minimum  localization  RMSE  possible  in  meters.  In  the  left  pane,  the  abscissa  represents 
the  number  of  eNBs  N  and  the  ordinate  shows  the  GDoP  value  for  the  given  N. 

The  CRLB  can  then  be  said  to  be  a  function  of  several  parameters: 

1.  The  shape  of  the  probability  density.  The  more  peaked  the  shape  (i.e.,  kurtosis),  the 
lower  the  CRLB  (cf.  (6.2)). 

2.  The  variance  of  the  error  associated  with  the  parameter  to  be  estimated.  The  lower 
the  variance,  the  lower  the  CRLB  (cf.  Ligure  6.2  and  (6.3)). 

3.  The  number  of  available  eNBs.  In  general,  the  more  eNBs  available,  the  lower  the 
CRLB  (cf.  Ligure  6.2  and  (6.3)). 

4.  The  geometry  of  the  eNBs.  It  can  be  seen  in  (6.3)  that,  for  the  case  of  a  normal 
density,  the  geometry  is  completely  defined  by  the  angle  from  the  UE  to  the  eNB(s) 
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and  the  distance  is  mathematically  irrelevant27. 


The  sole  dependence  of  the  CRLB  on  the  associated  angles  in  the  geometry  and  not  the 
distance  can  be  seen  from  the  following  identities 


eos(0f)  =  ^ 
sin(0f)  = 


(6.4) 


where  8  is  the  angle  subtending  the  zth  eNB  and  the  UE.  Substituting  these  identities  into 
(6.3)  we  have 


I  = 


cos2(0i)  2,=|  cos(8i)sin(9j) 
cos(0i)sin(0i )  sinr(8i ) 


From  (6.5)  it  is  easy  to  see  how  the  CRLB  is  not  dependent  on  distance.28 


(6.5) 


6.2  Geometric  Dilution  of  Precision  in  Time  of  Arrival 
Positioning 

It  was  stated  in  the  previous  section  and  expressed  in  (6.3)  that  the  CRLB  is  a  function 
of  the  eNB  geometry.  The  effect  of  the  geometry  can  be  isolated  from  the  effect  of  the 
measurement  noise  by  dividing  out  the  measurement  error  to  yield  the  GDoP  given  as  [10] 


GDoP  = 


VTrq-1) 

CT 


(6.6) 


GDoP  can  generally  be  interpreted  as  the  factor  by  which  the  standard  deviation  of  the 
position  estimate  is  related  to  the  standard  deviation  of  the  distance  measurement 


-^E{(p0-p)2}  =  GDoP  x  ^E{(d-d)2}. 


(6.7) 


As  a  rule  of  thumb,  it  has  been  previously  reported  that  GDoP  values  of  less  than  three  are 
favorable  where  values  greater  than  six  are  not  [  10] .  Additionally,  values  of  less  than  one  are 

27It  has  been  previously  reported  that  the  standard  deviation  of  the  distance  measurement  is  distance 
dependent  [67],  Therefore,  although  c/,  does  not  affect  the  CRLB  directly  the  variance  may  actually  be  a 
function  of  the  distance  (i.e.,  cr i(dj)). 

28This  section  is  revised  from  [21], 
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Figure  6.3.  The  experimental  setup  of  the  GDoP  investigation 


possible  and  imply  that  the  position  estimate  will  have  a  smaller  standard  deviation  than  the 
individual  distance  estimates,  thus  a  geometric  concentration  of  precision  is  experienced. 

In  order  to  investigate  the  geometric  effect  of  eNB  s  on  positioning  we  again  turn  to  Figure  6.2. 
Here  the  right  pane  shows  how  the  geometric  state  improves  as  each  eNB  is  added  with 
and  without  CeSAR.  Without  CeSAR,  after  the  fifth  eNB  is  made  available  the  GDoP  is 
actually  less  than  one  where  the  aforementioned  implication  about  geometric  concentration 
of  precision  applies. 

In  traditional  cellular  networks  one  is  limited  to  the  GDoP  offered  by  the  existing  geometry. 
However,  one  advantage  of  CeSAR  is  that  the  location  of  the  CeSAR  sensor  can  be  chosen 
to  minimize  GDoP.  The  geometric  advantage  of  CeSAR  is  again  shown  in  the  right  pane  of 
Figure  6.2.  With  CeSAR,  the  GDoP  starts  at  one  when  N  =  3  and  continues  to  improve  as 
N  increases. 

To  generalize  the  idea  of  GDoP  beyond  this  specific  use  case  we  propose  a  notional  model  of 
three  eNBs  arranged  as  an  isosceles  triangle  as  in  Figure  6.3.  The  eNBs  are  all  approximately 
one  kilometer  apart.  An  area  of  one  square  kilometer,  centered  on  the  center  of  mass  of 
the  triangle,  is  chosen  as  an  area  reasonably  served  by  all  three  eNBs.  The  geometry  of  the 
eNBs  is  systematically  changed  by  lowering  the  base  angle  of  the  isosceles  triangle  (keeping 
the  base  distance  constant).  The  GDoP  is  then  sampled  uniformly  throughout  the  serving 


Figure  6.4.  The  maximum,  minimum,  and  mean  GDoP  in  a  serving  area  of 
a  collection  of  three  serving  eNBs  is  presented  here.  The  eNBs  are  arranged 
in  an  isosceles  triangle  with  the  base  edge  approximately  one  kilometer  long 
and  with  the  base  angle  specified  by  the  abscissa.  Source:  [21], 

area  and  the  results  recorded  in  Figure  6.4.  The  regions  of  GDoP  noted  by  [10]  as  having 
suboptimal  geometries  for  positioning,  according  to  the  aforementioned  rule  of  thumb,  are 
shown  in  the  figure.  The  maximum  GDoP  within  the  region  quickly  exceeds  acceptable 
limits  while  the  mean  and  minimum  remain  within  acceptable  limits  throughout.  This  trend 
across  statistics  suggests  that  the  more  collinear  eNBs  are  in  the  geometry,  the  worse  the 
environment  for  positioning.  We  note  that  this  study  is  conservative  as  the  maximum  values 
of  GDoP  remain  on-axis  with  the  triangle  base  and  outside  of  the  convex  hull  of  the  triangle 
which  is  not  well  represented  by  the  serving  area. 

These  results  suggest  that,  on  average,  the  geometry  of  eNBs  should  not  be  unfavorable. 
While  GDoP  will  always  affect  the  accuracy  of  the  position  estimate,  even  with  very  severe 
collinear  eNB  geometry  (such  as  that  seen  frequently  in  main  thoroughfares  like  major 
highways),  harsh  GDoP  effects  may  not  be  common.  An  interesting  corollary  is  that 
because  GDoP  is  only  a  function  of  the  angles  between  the  UE  and  eNBs  (cf.  (6.5))  the 
density  of  eNBs  will  not  have  an  effect  on  the  positioning  accuracy.  Therefore  we  should  not 
expect  that  the  recent  move  towards  cell  densification  [68],  as  a  means  to  increasing  data 
throughput,  will  improve  positioning  performance  purely  vis-a-vis  denser  infrastructure 
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Figure  6.5.  Geometric  pathology  in  a  two  eNB  positioning  scenario 


geometry.29 


6.3  Pathological  Geometries 

The  CRLB  is  only  a  meaningful  lower  bound  if  the  estimate  is  unbiased  [48].  However,  the 
infrastructure  may  be  physically  organized  such  that  an  unbiased  estimate  is  not  possible. 
We  call  this  situation  a  pathological  geometry.  To  understand  this  phenomenon,  consider 
the  positioning  scenarios  shown  in  Figure  6.5.  In  both  figure  panes  a  Monte  Carlo  study  is 
conducted  where  there  are  two  serving  eNBs  (N  =  2)  from  which  a  target  will  be  located. 
The  distance  estimate  made  from  each  eNB  is  corrupted  by  a  normal  error  source.  The 
axes  are  given  in  distance  normalized  by  the  standard  deviation  where  <t\  =  <X2.  Since,  in 
a  two  eNB  scenario,  it  is  equally  as  likely  that  the  UE  is  on  either  side  of  the  abscissa  we 
restrict  the  solution  space  to  points  which  lie  above  the  x-axis.  In  the  left  pane,  the  UE  to  be 
located  is  almost  directly  in  between  the  two  eNBs.  In  the  right  pane,  the  UE  to  be  located 
is  offset  by  5cr.  By  inspection  of  the  resulting  probability  clouds,  it  is  not  hard  to  see  that 
the  geometry  in  the  left  pane  is  biased  while  the  geometry  in  the  right  pane  is  not. 

This  pathology  arises  from  the  fact  that  the  CRLB  does  not  take  symmetry  into  account 
which  naturally  arises  in  a  two  eNB  scenario  (i.e.,  it  is  equally  likely  that  the  position 
estimate  is  above  or  below  the  x-axis  for  a  given  set  of  distance  estimates).  The  symmetry 

29This  section  is  revised  from  [21], 
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is  described  in  this  scenario  by  the  line  y  =  0,  which  we  term  the  symmetry  directrix. 
Symmetry  of  this  sort  can  be  dealt  with  by  artificially  restricting  the  solution  space,  as  we 
have  done  in  Figure  6.5.  Not  doing  this  dramatically  increases  the  resulting  error  since  if 
the  position  estimate  on  the  wrong  side  of  the  directrix  is  chosen  the  error  will  be  much 
larger.  Therefore,  regardless  of  whether  the  solution  space  is  artificially  restricted  or  not, 
the  estimate  will  be  biased.  To  see  this,  consider  the  pathological  geometry  in  the  left  pane 
of  Figure  6.5  and  note  that  a  significant  number  of  position  estimates  lie  approximately  on 
the  x-axis.  This  arises  from  the  scenario  where  the  sum  of  the  distance  estimates  from  the 
eNBs  is  less  than  the  distance  between  the  eNBs.  Put  another  way,  if  the  distance  estimates 
were  represented  as  circles  centered  on  their  respective  eNBs,  they  would  not  intersect.  It 
is  clear  that  in  this  scenario  the  most  likely  position  estimate  will  lie  somewhere  on  the  line 
connecting  the  two  eNBs.  In  fact,  for  this  scenario,  this  will  happen  approximately  one-half 
of  the  time  and  is  a  significant  source  of  bias.  In  contrast,  when  the  target  moves  far  enough 
away  from  the  eNBs  this  bias  disappears  since  the  distance  estimate  circles  will  intersect 
the  vast  majority  of  the  time.  In  this  case  the  probability  cloud  that  is  generated  looks  as 
we  would  expect  one  to  look  that  was  generated  from  normal  error.  Alternatively,  if  a  third 
eNB  is  included,  the  bias  will  also  disappear  since  the  third  eNB  will  help  adjudicate  the 
position  estimate  in  the  direction  orthogonal  to  the  symmetry  directrix. 

Bias  will  be  introduced  anytime  a  position  estimate  is  found  without  sufficient  information 
in  each  of  the  orthogonal  bases  for  the  coordinate  system  in  use  (seen  in  the  left  pane  of 
Figure  6.5).  For  measurements  with  normally  distributed  error  and  two  eNBs,  this  means 
the  UE  should  be  at  least  3cr  away  from  the  directrix.  The  rule  of  thumb  to  avoid  bias  is 
less  straightforward  when  N  >  2  where  numerical  means  can  be  used  to  estimate  bias. 

6.4  The  Probability  Density  of  a  Quantized  Random  Vari¬ 
able 

Quantization  is  sometimes  regarded  as  a  non-linear  operation  making  analysis  of  the  asso¬ 
ciated  operations  difficult.  Here  we  review  the  work  presented  in  [65]  and  highlight  that 
quantization  can  be  shown  to  be  a  linear  injective  operation  in  the  RV  signal  space.  This 
realization  will  justify  use  of  the  latent  continuous  distribution  in  a  MLE. 
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First,  consider  a  latent  RV  N  which,  has  the  specific  probability  density 

Pn(x)  =  — L  (6.8) 

\2ncr 

and  cumulative  distribution  function 

fAr(x)=O^J  (6.9) 

such  that  N  has  zero  mean  and  some  variance  cr.  For  convenience,  and  due  to  the  assumption 
that  cr,  =  cr  Vi,  we  hereafter  use  only  <D(x)  to  represent  the  cumulative  density  of  N .  We 
define  the  specific  distribution  of  N  to  simplify  the  discussion  of  quantization  on  variance 
(cf.,  Figure  6.6)  although  the  analysis  presented  is  applicable  to  other  distributions.  We  will 
later  show  this  choice  of  a  normal  distribution  is  appropriate  for  TA-based  positioning. 

Next,  consider  a  quantization  function  Q  such  that  Q  :  N  —>  N'  and  the  density  of  N'  is 
given  as 

PN'(x)  =  ^  a„6(x  -  m).  (6.10) 

n 

Here  we  make  use  of  the  shorthand  to  represent  the  sum  over  all  n  6  Z,  8 ( ■ )  to  represent 
the  Dirac  delta  function,  and  a  to  represent  some  appropriate  scaling  parameter.  The 
relation  in  (6.10)  can  be  regarded  as  a  quantized  version  of  N  with  bins  evenly  spaced  by  r. 
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It  is  well-known  that  the  quantization  operation  contributes  to  the  overall  noise  of  the 
resulting  signal.  This  is  represented  by  the  convolution  pm(x)  with  a  uniform  distribution 
Pu(x)  with  support  6  [-r/2,  t/2\.  As  a  first  step  in  defining  <3.  consider  the  result  of  this 
convolution  which  is  presented  in  detail  in  Appendix  D 

pN{x)*pu(x)  =  -[$(i  +  t/2)-0(i-t/2)]  (6.11) 

r 

where  0(x  -  if/)  is  the  cumulative  density  of  pn(x)  shifted  by  some  amount  if/.  The  second 
and  final  step  taken  in  defining  Q  is  a  multiplication  of  (6. 1 1)  with  an  impulsion  train  (Dirac 
comb)  scaled  by  r,  HIr(.*),  with  periodicity  r.  This  process  is  presented  graphically  in 
Figure  6.6. 


To  verify  that  (6.10)  follows,  observe  that 

t8{x  -  nr)  j-  [0(jc  +  r/2)  -  ®(.r  -  r/2)]  = 

^  8(x  -  nr)  [©(/? r  +  r/2)  -  ®(nr  -  r/2)] . 


(6.12) 


Next,  let 


an  =  [®(nr  +  r/2)  -  0(«r  -  r/2)] .  (6.13) 

Finally,  by  substituting  (6.13)  into  (6.12)  we  arrive  at  (6.10). 

To  see  the  equivalency  of  Q  to  quantization  consider  (6.11)  as  the  difference  of  two  scaled 
cumulative  densities  (c.f.,  Figure  6.6).  The  product  of  that  density  with  a  Dirac  delta  results 
in 


t6(x  -  x\)  ( pn{x )  *  pu(x ))  =8{x  -  .vi)[©(a:i  +  r/2)  -  ®(xi  -  r/2)] 

rxi+r/2 


/ 

J  X 1 


=S(x  -  xi) 

I  x\-t/2 

--aXl/TS(x  -  x\) 


PN{x)dx 


(6.14) 


where  the  Dirac  delta  represents  a  bin  centered  on  ij.  The  result  of  the  product,  given 
in  (6.14),  is  exactly  the  quantization  operation,  shown  in  Figure  6.7,  a  direct  result  of  the 
definition  of  a  cumulative  distribution  function. 
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T 


Pn(x) 


XI 

Figure  6.7.  The  quantization  of  a  normal  RV  with  bin  size  r  and  bin  centers 
xi  +  nr  is  presented  here.  Adapted  from  [65]. 

Note  that  all  steps  taken  in  Q  are  linear  and  thus  also  commute.  Therefore,  while  the 
operation  is  indeed  non-linear  in  the  observation  space  (i.e.,  the  result  of  a  quantized 
observation  cannot  be  undone),  the  operation  is  linear  in  signal  space.  This  will  be  the 
subject  of  further  discussion  in  a  subsequent  section.30 

6.5  The  Characteristic  Function  of  Quantized  Random 
Variable 

T 

Consider  pu(x)  < — >  7V(VA)  which  are  related  via  the  Fourier  transform  and  define  Pn(<P) 
as  the  characteristic  function  (CF)  of  pu(x).  The  Fourier  equivalent  steps  that  define  the 
mapping  of  the  CFs  under  Q  is  shown  graphically  in  Figure  6.8  and  given  precisely  by 
UI2K/T((f>)  *  Pjvifi)  ■  Pu(<P)  which  yields 

Pn'(4>)  =  ^  K(<t>  ~  2nn/r).  (6.15) 

n 

Here  A{(p)  is  the  result  of  the  product  of  CFs  Pn{4>)  and  Pu((p)  explicitly  given  by 

~(</>o-)2  ( d)T\ 

Pn(<P)  ■  Pu(<P)  =  ^  2  Sine  yJ  (6.16) 

30This  section  is  revised  from  [29], 
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where  the  product  itself  is  trivial  and  the  derivation  of  the  exact  CFs  for  Pu((p )  and  Pu((p), 
given  N  is  normal,  can  be  found  in  Appendix  E.  Finally,  we  arrive  at  P^{<p)  by  performing 
the  convolution 

tfbr/rW  *Pm(4>)  ■  PuW  =  2  sine  I- - - - 

n  ' 

By  comparing  (6.17)  to  (6.15)  we  can  see  that 

/  d)T\ 

A(<p)  =  e  2  sine  (  —  j  (6.18) 

and  the  separation  of  An(<p)  is  inversely  proportional  to  r.  To  graphically  show  the  effect  of 
Q  in  the  Fourier  domain,  the  An((p )  are  shown  in  Figure  6.8  with  dashed  lines  while  their 
sum  is  shown  with  a  boldface  line.  Also,  the  quantization  operation  in  the  Fourier  domain 
is  completely  defined  by  linear  operations,  thus  fully  injective  in  the  RV  parameter  space. 
Stated  another  way,  given  a  quantized  probability  density  function  one  is  able  to  recover  the 
latent  probability  density  function31  by  reversing  the  above  steps.  The  fact  that  quantization 
is  injective  in  the  RV  parameter  space  in  both  domains  is  an  important  point  that  will  be 
used  to  justify  later  statistical  claims.32 

31We  note  that  certain  conditions  must  be  met  in  order  for  this  to  be  true  and  are  discussed  later  in  this 
chapter. 

32This  section  is  revised  from  [29], 


(6.17) 
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X 


Figure  6.9.  The  cumulative  density  function  of  p'N(x )  as  r  — »  0 

6.6  The  Effect  of  Quantization  Bin  Size 

Next  we  vary  r  to  examine  the  effect  of  the  bin  size  on  pw{x)  and  We  will  later 

expand  on  these  observations  to  explain  the  effect  of  r  on  the  variance  of  AT. 


6.6.1  The  Effect  of  Quantization  Bin  Size  as  r  — »  0 

To  understand  the  effect  of  a  decreasing  r  on  (6.10)  and  (6.15)  let  r  — >  0  and  let 

Fn,(x)  =  Pr[7Vr  <  x]  (6.19) 


so  that  Fyv'(^)  is  the  cumulative  distribution  function  of  N' .  Using  (6.10)  and  (6.13)  we 
can  define  the  cumulative  distribution  function  explicitly  as 


UJt 

Fn’(x)  =  ^  an 

n=—oo 

L  -Or 

=  ^  [<J>(/7T  +  r/2)  -  O (nr  -  r/2)] 


=  <h(UJr) 


(6.20) 
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where  |_-Jr  is  the  floor  operator  taken  with  respect  to  r.  Next  observe  that 

lim  O  (\_x\T)  =  O(.r)  (6.21) 

T  — >0 

therefore  the  cumulative  density  of  N'  — >  N  as  r  — >  0  since 

lim  L.rJT  =  (6.22) 

T  — >0 

This  convergence  in  r  — >  0  of  F\n(x)  — >  F^(x)  is  shown  graphically  in  Figure  6.9.  It 
follows  then  that 

lim  pN’(x)  =  pN(x).  (6.23) 

T— >0 

From  this  relationship  it  is  a  trivial  step  to  see  that 

lim  /V  W  =  P/sf((p)  (6.24) 

r— >0 
T 

since pu(x)  < — >  P/^(cf>).  To  verify,  consider  Pn’((P)  and  note  that  as  r  — >  0  the  separation 
between  An{(p)  increases  to  oo.  Therefore,  we  can  say  that 

lim  P/v'(0)  =  A0 (0)  (6.25) 

r— >0 

and  note  that  Ao(0)  =  P\i{(!>)  which  verifies  the  relationship  in  (6.24). 

Another  intuitive  way  of  verifying  this  relationship  is  to  note  that  as  r  — >  0  we  are  no  longer 
quantizing  the  latent  RV.  This  view  is  consistent  with  (6.23)  and  (6.24). 

6.6.2  The  Effect  of  Quantization  Bin  Size  as  r  — >  oo 

To  illuminate  the  effect  of  an  increasing  r  on  (6.10)  and  (6.15)  consider  the  case  when 
r  — >  oo.  It  can  be  seen  that 

lim  pn’(x)  =  d(*)  (6.26) 

T — >00 

since  as  r  — >  oo,  ciq  — >  1  and  an  — >  0,  V/?  4=  0.  Note  that  as  r  — >  oo  the  center  bin  extends 
to  cover  all  of  R1  and  thus  the  output  of  the  quantizer  is  deterministic.  To  see  this,  consider 
(6.13).  Here  the  difference  of  [0(/7T  +  r/2)  -  ® (nr  -  r/2)]  — >  1  since  the  integral  in  (6. 14) 
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Figure  6.10.  The  CF  as  r  — »  oo 


as  r  — >  oo  for  n  =  0  is 


lim 

T  — >00 


nriT+r/  2 

/  PN^x)dx 

J  tlT—T 


r/2 


>;=0 


Pu(x)dx  =  1 


Conversely,  V/r  ^  0  the  limit  is 


lim 

T— >00 


pm+T/l 

J m—r/2 


Pm(x)  dx 


ni=0 


Pm(x)  dx 


pu(x)  dx  =  0. 


(6.27) 


(6.28) 


Note  that  this  relationship  can  be  extended  to  any  probability  density  function  since  Pr[v  < 
oo]  =  1,  Pr[x  <  -oo]  =  0  for  any  RV  X,  and  since  the  CDF  is  monotonic. 


Similarly,  let  r  — »  oo  for  /V'(<fo.  This  time  the  separation  between  An-\  and  A„  will  go  to 
0  which  follows  from  the  limit  of  In/r  as  r  — »  oo.  Because  >((/>)  is  the  sum  over  all  n 
we  find 

lim  /VW  =  1  (6.29) 

T— >00 

which  is  verified  numerically  in  Figure  6.10.  Here  we  find  that  the  limit  is  reached  quite 
quickly  at  around  10cr.  Note  also  that  Vr,  AVTO)  =  1  satisfying  the  requirement  that 
IooPN'(x)dx  =  1. 
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The  result  in  (6.29)  can  be  verified  by  taking  the  Fourier  transform  of  (6.26) 

8{x)  1  (6.30) 

T 

which  follows  from  the  requirement  that  p^r{x)  ->  Pn  >((p)  Vr.  Therefore,  the  Fourier 
pairs  must  agree  at  all  extrema  of  r.33 


6.7  The  Variance  of  a  Quantized  Random  Variable 

Recall  that  the  kth  moment  can  be  derived  from  the  CF  via  the  relationship  [65] 

We  proceed  from  (6.31)  with  the  CF  in  (6. 1 5)  and  the  definition  (6.8).  Note  that  because  (6.8) 
is  zero  mean,  then  the  case  where  k  =  2  is  equivalent  to  the  variance  (i.e.,  E{yV'2}  =  cr2). 
Rather  than  derive  a  closed  form  solution  for  (6.31)  we  use  the  relationships  derived  in  the 
previous  section  for  the  CF  at  extrema  of  r  in  order  to  investigate  the  effect  of  r  on  E{AC2}. 


Consider  first  the  case  when  r  =  0  such  that  (6.24)  applies.  Using  (6.31)  it  is  easy  to 
verify  that  E{//'2 }  =  E{?72}  since  (6.23)  and  (6.24)  hold.  The  result  is  also  found  directly  in 
Appendix  E  through  evaluating  (6.31).  Now  let  r  =  e  where  e  is  some  positive,  arbitrarily 
small  number.  Since  e  is  small  it  is  not  necessary  to  consider  any  An(cp  -  Inn/r)  where 
77  4=  0.  This  follows  from  the  fact  that  the  term  when  77  =  1  is  found  at  2 n/e.  If  e  is 
sufficiently  small  then  this  value  of  this  term  at  zero  will  effectively  be  zero.  This  result  is 
proven  in  Appendix  F.  With  this  in  mind,  and  for  sufficiently  small  e,  the  variance  of  N'  is 
found  via 


E{JV/2}  =  - 


d1  Aq(4>) 
d(p 2 


0=0 


(6.32) 


33Section  6.6  is  revised  from  [29]. 
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Using  the  product  rule,  the  derivative  can  be  evaluated  as 


d 2 

-TP)  pu(<P)Pn(<P)  - 
d(p - 

+  ^PuWPnW  (6-33) 

+  2—Pu(<t>)—Pu(<t>)- 


Notice  that  when  evaluated  at  (p  =  0  the  first  and  second  derivatives  of  Pn{<P)  are  0  and 
-cr2  respectively.  Also,  note  that  Pv( 0)  =  P^ (0)  =  1.  After  applying  these  observations 
and  distributing  the  negative  sign  we  can  simplify  (6.33)  to 


d2A0((p)  2  dr  p 

d<f> 2  0=o  d<p 2  u 


(6.34) 


This  derivation  is  made  more  rigorous  in  Appendix  E.  Since  Pu(<p)  is  concave  down  Vr  >  0 
at  (p  -  0  we  have  that 


E{JV2}  <  E{N'2} 


(6.35) 


where  the  inequality  is  strict  for  a  sufficiently  small  and  non-negative  e34. 


Next  consider  the  case  when  r  =  oo.  Recall  from  (6.29)  that  P^{(p)  -  1.  It  can  be  verified 
that  the  second  derivative  is  0  for  0  =  0.  This  result  is  found  explicitly  in  Appendix  E. 
Thus,  when  r  is  very  large  the  variance  of  N'  becomes  very  small  such  that  the  inequality 
in  (6.35)  is  reversed  for  a  sufficiently  large  r. 


This  behavior  of  the  variance  as  r  — >  oo  requires  that  Illr(.v)  is  not  shifted  relative  to  the 
mean  of  N.  In  other  words,  >jj  -  0  for  IIir(.v'  -  if/)  in  Q.  The  difference  in  pw(x)  is  shown 
in  Figure  6.1 1  for  =  0  (left  pane)  and  if/  =  r/2  (right  pane).  Subsequently,  we  will  show 
that  these  values  of  if/  are  particularly  important  when  evaluating  the  extrema  of  E{A/r'2}. 

34The  value  of  the  second  term  in  (6.34)  can  be  calculated  to  a  high  degree  of  accuracy  using  Sheppard’s 
corrections  [69]  when  r  <  cr  [65]. 
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(a)  (b) 

Figure  6.11.  The  difference  in  pw(x)  for  the  extrema  of  the  shift  factor  ip 


To  continue  the  analysis,  consider  when  ip  =  r/2  such  that 

PAf'OI<A)|,/,=r/2  =  anpS(x  -  riT  -  ip)  =  ^  aIUT/ 2  S(x  -  3nr/2)  (6.36) 

n  (A=r/2  n 

and  again  let  r  — >  oo.  In  this  case,  we  can  approximate 

lim/2jV'(.r|i/0  =  ~6(x  +  r/2)  +  -<S(*  -  r/2).  (6.37) 

(A=r/  2  2  2 

The  proof  for  this  result  is  given  in  Appendix  E. 

By  inspection  of  (6.37),  it  follows  then  that  as  r  — >  oo,  E{Af'2}  — »  oo.  It  can  be  shown  that 
as  ip  increases  (or  decreases)  from  ip  =  r/2  for  a  constant  r  where  ip  6  [0,  r],  the  second 
moment  of  N'  returns  to  zero.  It  can  further  be  shown  that  these  variance  maxima  occur 
for  values  of  ip  =  kr  +  t/2  which  have  corresponding  minima  at  ip  -  Lt  for  k  e  Z.  For 
sufficiently  large  r  the  second  moment  then  exhibits  periodic  behavior  with  period  r.  The 
proof  for  these  results  are  given  in  Appendix  E. 

Having  established  that  E{Af'2}  is  periodic  in  ip,  let 

E{Af/2}  =  f3f  (ip,x)  +  C  (6.38) 
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Source:  [29]. 


presented. 


where  /  (•)  is  a  function  which  is  periodic  in  if/  with  period  r.  The  amplitude  of  /(■)  is  [3  and 
has  offset  C.  It  will  subsequently  be  useful  to  determine  the  r  for  which  E { TV 2 }  <  C  -  / S/2 
(i.e.,  the  value  at  which  the  variance  of  the  quantized  RV  is  guaranteed  to  be  larger  than 
the  variance  of  the  latent  RV  iift,  E { Af 2 }  <  E{AT2}).  To  find  this  range  let  i/r  =  0,  which 
we  have  previously  seen,  is  the  minimum  of  (6.32).  To  make  calculations  more  tractable 
we  only  consider  n  e  {-1,0, 1}  in  (6.10).  Because  this  function  is  even,  the  value  of 
a_i  =  a\  =  0(-r/2).  The  desired  bound  on  the  variance  of  this  probability  mass  can  then 
be  shown  to  be  (cf.  Appendix  G) 


2t20(-t/2)  <  rr2  (6.39) 

where  equality  holds  when  r  «  3.4cr.  Thus,  we  state  that  r  <  3.4cr  is  a  necessary  and 
sufficient  condition  such  that  the  inequality  in  (6.35)  holds  Vi/o 

To  better  illustrate  the  relationship  between  if/  and  E { TV'2 }  consider  Figure  6.12.  Here  the 
shape  of  (6.38)  is  shown  for  various  values  of  r  when  i]/  e  [0,  r].  Both  ijj  and  the  variance 
have  been  normalized  such  that  it  is  easier  to  compare  the  effect  of  r  and  il/.  First,  note  that 
as  r  increases  the  amplitude  /?  also  increases.  As  previously  calculated,  (6.38)  always  stays 
above  cr N  for  r  <  3.4cr.  As  r  increases  beyond  this  bound  then  the  minimum  value  of  the 
variance  may  drop  below  cr #  for  certain  if/ .  Second,  note  that  for  sufficiently  small  r  (e.g., 
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r  <  cr  in  this  study)  the  observed  variance  of  N'  is  very  close  to  the  corrected  variance 
of  N  which  agrees  with  Sheppard’s  famous  corrections  [69].  However,  as  r  grows  above 
cr  the  correction  becomes  less  accurate.  As  the  trend  in  the  Figure  6.12  suggests,  and  the 
analysis  has  shown,  for  larger  r  the  minimum  of  (6.38)  will  eventually  reach  zero  and  the 
maximum  will  grow  to  infinity.35 

6.8  Information  Loss  in  a  Quantized  Random  Variable 

Here,  following  [65],  we  invoke  the  analogy  of  traditional  sampling  theory  and  the  Nyquist 
rate  in  order  to  investigate  injectivity  in  N  i— »  QiN).  Recall  that  when  sampling  a  signal, 
the  sampled  output  is  considered  representative  of  the  input  continuous-time  signal  if  and 
only  if  the  sampling  rate  is  greater  than  or  equal  to  twice  the  highest  frequency  in  the 
continuous-time  signal.  If  this  condition  is  met  we  may  say  that  the  sampling  operation  is 
injective.  Stated  another  way,  if  the  former  condition  is  met,  we  may  perfectly  recover  the 
continuous-time  signal  from  the  sampled  representation  because  the  sampled  representation 
contains  all  of  the  information  of  the  original  signal. 

Notice  the  similarity  between  sampling  and  quantization.  The  connection  is  illustrated  by 
the  second  step  in  defining  Q  which  involved  multiplication  of  a  scaled  impulsion  train 
I flj-  f.v)  with  the  convolved  latent  density.  If  our  goal  is  to  recover  the  latent  density 
then  the  conditions  necessary  and  sufficient  for  said  recovery  is  of  interest.  Widrow’s 
First  Quantization  Theorem  (QTl)  states  that  if  a  RV  is  bandlimited36  by  ±7t/t  then  the 
distribution  and  CF  of  the  latent  RV  can  be  perfectly  recovered  [70] .  The  implications  of  this 
theorem  are  far  reaching,  however,  many  real-world  RVs  are  not  bandlimited.  For  instance, 
the  normal  RV  is  an  example  of  an  extremely  common  RV  whose  CF  has  infinite  support. 
Thankfully,  Widrow  also  noticed  this  difficulty  and  showed  in  his  Second  Quantization 
Theorem  (QT2)  that  an  approximately  bandlimited  RV  (relative  to  the  bin  size  r)  can 
also  be  recovered  with  high  fidelity  [70].  The  recovery  of  moments  is  closely  related  to 
Sheppard’s  correction,  which  is  shown  here  for  the  second  moment  [69] 

7-2 

E072}=E{/7'2}--.  (6.40) 

35This  section  is  revised  from  [29], 

36Widrow  uses  the  term  “bandlimited”  to  define  the  case  when  a  CF  has  finite  support  [65]. 
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Widrow  offers  r  <  cr  as  a  rule  of  thumb  to  define  the  condition  necessary  to  satisfy 
QT2  [65].  The  efficacy  of  this  rule  of  thumb  is  verified  by  inspection  of  Figure  6. 12. 37 

6.9  A  Lower  Bound  for  the  Variance  of  a  Quantized  Ran¬ 
dom  Variable 

ffere,  we  invoke  the  CRLB  (cf.  (6.1))  to  show  it  as  an  appropriate  lower  bound  for  a 
quantized  RV. 

Theorem  1:  For  a  latent  RV,  parameterized  by  6 

Var e{p}  >  CRLB0,  r  e  [0,  3.4cr]  (6.41) 

where  p  is  an  unbiased  estimator  of  theta  which  uses  quantized  observations  of  the  RV  to 
estimate  6. 

Proof:  Consider  the  RV  N  which  is  then  quantized  with  bin  size  r  and  f  =  0.  If  we 
let  r  — >  0  then  the  relationships  (6.24)  and  (6.23)  apply  and  the  proposition  becomes  the 
standard  CRLB. 

Next,  as  r  increases  from  zero  (6.10)  can  also  be  seen  as  a  sum  of  shifted  and  scaled 
Bernoulli  “pseudo-distributions”.  We  note  that  each  of  the  pseudo-distributions  is  not 
a  true  distribution  since  the  resulting  sum  must  satisfy  joopsj'{x)dx  =  1  and  therefore 
0  <  foopa,n(x)dx  <  1  in  where  p„n (x)  is  the  nLh  pseudo-distribution. 

Next,  recall  that  the  Fisher  information  of  a  Bernoulli  RV  is  given  by  I  i  p)  =  cr~ 2  where 
cr^  is  the  variance  of  a  Bernoulli  RV.  Therefore  the  Fisher  information  of  the  quantized  RV 
is  given  by 

I(x')  =  YJIn(p)  =  J]d-;2  (6.42) 

n  n 

where  a2  is  the  pseudo-variance  of  the  nth  Bernoulli  pseudo-distribution. 

Now  we  have  already  shown,  and  Sheppard’s  correction  for  the  second  moment  (6.40) 
37This  section  is  revised  from  [29], 
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Figure  6.13.  The  variance  of  a  MLE  of  a  quantized  RV  parameterized  by  r 
is  presented  for  two  different  offsets  \p.  Source:  [29]. 

verifies  (c.f.  also  Figure  6.12),  that  for  small  r  the  following  will  hold 


(6.43) 


n 


Stated  another  way,  the  variance  of  the  quantized  signal  must  not  be  smaller  than  that  of 
the  latent  signal.  Therefore,  the  Fisher  information  of  the  observed  RV  will  not  be  larger 
than  the  Fisher  information  of  the  latent  RV  and  the  inequality  in  the  theorem  will  be  strict. 
Similarly,  we  have  shown  that  the  variance  of  the  observed  RV  will  be  greater  than  the 
original  for  r  <  3.4cr  so  the  proposed  bound  will  hold  for  r  6  [0,  ~  3.4<x),  Vt/c  ■ 

To  verify  the  theorem  is  valid  consider  a  normal  RV  N(p,cr 2)  which  is  quantized  and 
the  parameter  to  be  estimated  is  the  mean,  p.  We  show  the  results  of  a  numerical  study 
in  Figure  6.13  in  which  we  estimate  p  via  the  standard  maximum-likelihood  method  for 
various  bin  sizes,  r.  It  can  be  seen  that  for  any  shift  in  the  bins  (i.e.,  V0-)  that  the  resulting 
RMSE  lies  above  the  CRLB  for  r  <  3.4<x  which  supports  Theorem  1.  Conversely,  for 
values  of  r  >  3.4<x,  the  results  shown  in  Figure  6.13  demonstrate  that  CRLB  will  not  be 
appropriate  Vt/c  Thus,  without  a  priori  knowledge  of  the  exact  annular  offset  ij/,  the  a  lower 
bound  cannot  be  realized. 

Note  that  for  smaller  relative  values  of  r  (e.g.,  r  e  [0,  cr ))  the  deviation  from  the  latent  RV 
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variance  is  minimal.  Thus,  it  will  be  that  the  bound  presented  in  Theorem  1  is  not  strict  and 
an  efficient  estimator  will  achieve  the  lower  bound.  In  other  cases  where  r  is  larger  and  the 
quantized  variance  deviates  from  the  latent  variance,  an  efficient  estimator  will  not  meet 
the  lower  bound  as  defined  by  the  latent  variance  and  the  inequality  in  the  theorem  will  be 
strict.  However,  for  smaller  r  the  deviation  of  the  quantized  RV  variance  from  the  latent  RV 
variance  can  be  calculated  with  a  high  degree  of  fidelity  via  Sheppard’s  correction  (6.40). 
Thus,  the  bound  can  be  adjusted  in  this  manner  to  show  a  tighter  lower  bound  for  larger  r 
and  evaluate  the  efficiency  of  estimators.38 


38This  section  is  revised  from  [29]. 
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CHAPTER  7: 

The  Timing  Advance  as  a  Quantized  Random 

Variable 


In  this  section,  we  describe  the  TA  as  a  quantized  RV  and  compare  the  current  RV  with 
that  of  a  legacy  cellular  protocol.  We  then  derive  a  MLE  and  lower  bound  for  the  TA-based 
position  estimate  through  showing  that  the  LTE  TA  satisfies  the  requirements  of  Theorem  1 . 


7.1  Spatial  Quantization  in  Cellular  Networks 

It  is  not  difficult  to  see  that  the  TA  is  a  quantized  RV.  First,  the  base  station  must  make 
a  distance  estimate  based  on  the  time  of  arrival  of  a  UE’s  uplink  frame  which  we  model 
as  a  normal  RV.  The  assumption  of  normality  associated  with  this  phenomenon  is  well 
accepted  in  the  literature  [7],  [10].  Next,  the  eNB  must  determine  if  the  measured  distance 
necessitates  adjustment  to  the  UE’s  timing.  Because  the  base  station  can  only  affect  timing 
adjustment  in  discrete  units,  the  timing  mismatch  must  be  greater  than  r/c  in  order  for 
an  adjustment  to  be  issued.  Hence,  the  TA  can  be  seen  as  quantizing  the  UE’s  distance 
from  the  serving  eNB  to  the  nearest  multiple  of  r  as  in  Figure  7.1.  Recall  that,  in  LTE, 
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r  =  78.125  m  (cf.  (4.4)). 


The  quantization  scheme  depicted  in  Figure  7.1  is  also  applicable  to  GSM  where  r  = 
550  m  [40].  The  difference  in  quantile  size  for  GSM  and  LTE  can  be  attributed  to  tighter 
timing  alignment  required  in  LTE  in  order  to  support  higher  data  rates.  To  highlight  how 
the  change  in  quantile  size  from  GSM  to  LTE  affects  the  statistics  of  the  problem,  let  first 
cr bts  ~  (reNK  =  cr.  In  other  words,  let  the  latent  RV  associated  with  the  eNB(BTS)  error 
estimation  of  the  UE  distance  be  approximately  the  same.  Let  cr  =  50  m  following  our 
review  of  field  measurements  in  Chapter  4.  Next,  recall  that  the  lower  bound  associated 
with  a  quantized  RV  is  the  CRLB  as  long  as  r  <  3.4cr  (cf.  Theorem  1). 

For  LTE  this  condition  holds  since 


tlte  ~  1.56cr.  (7.1) 

This  assures  that  there  is  a  finite  lower  bound  on  the  measurement  error  and  that  the  error 
will  be  approximately  independent  from  the  annular  offset,  i fj. 

Conversely,  in  GSM  the  condition  does  not  hold  since 


tGSM  =  1  lcr.  (7.2) 

Thus,  the  performance  of  the  position  estimate  will  be  highly  dependent  on  ip.  This 
means  that  if  the  target  UE  is  a  favorable  distance  away  from  the  BTS  (i.e.,  d  =  ht  so 
that  ip  =  0)  then  the  variance  of  the  position  estimate  will  go  to  zero  as  r  — >  oo  (cf. 
Figure  6.13).  Alternatively,  if  the  target  UE  is  not  a  favorable  distance  away  from  the  BTS 
(i.e.,  d  =  nr  +  r/2  so  that  ip  =  r/2)  then  the  variance  of  the  position  estimate  will  become 
very  large  as  r  — >  oo  (cf.  Figure  6.13). 

Therefore,  the  tighter  timing  alignment  in  LTE  marks  a  significant  change  in  how  the 
TA  can  be  used  for  positioning.  In  LTE  the  TA  can  be  used  with  relatively  consistent 
results.  Conversely,  the  performance  associated  with  TA-based  positioning  in  GSM  will 
vary  significantly  since  ip  is  generally  not  known  a  priori. 
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7.2  A  Maximum  Likelihood  Estimate  and  Lower  Bound 
for  Timing  Advance  Positioning 

In  order  to  derive  a  MLE  for  a  UE  position  we  must  first  characterize  the  distribution  of 
error  after  quantization  pw(x)  which  is  shown  in  Figure  6.6  and  given  in  (6.10).  However, 
we  have  shown  in  (6.37)  that  the  shape  of  the  density  is  parameterized  by  if/.  Despite  this 
fact,  we  will  further  show  that  it  is  also  appropriate  to  model  all  possible  p^'{x\if/)  with  a 
single  density  that  is  independent  of  if/. 

To  begin,  let  pn'{x,  if/)  be  the  joint  density  of  the  error  in  the  distance  estimate  and  annular 
offset  if/.  Next,  let  pn'(x)  be  a  normal  marginal  density  of  Pn'(x,  if/)-  Recall,  that  this 
choice  of  a  distribution  models  the  continuous  error  associated  with  distance  measurement 
and  is  widely  accepted  in  the  literature  [7],  [10].  To  arrive  at  pw(x\if/),  contrast  the  effect 
on  IIIr(jc  -  if/)  of  when  a  UE  is  positioned  in  the  center  of  a  TA  annulus  (if/  =  0)  with  when 
a  UE  is  on  a  TA  boundary  ( if/  =  r/2)  which  is  shown  in  Figure  6.11.  Upon  inspection, 
it  appears  that  ppr(x)  and  py(if/)  should  be  dependent  since  the  shape  of  pw(x\if/)  is 
completely  dependent  on  if/.  However,  it  has  been  shown  that  if  the  conditions  of  QT1  or 
QT2  are  satisfied  then  ppr(x)  and  pm  {if/)  are,  in  fact,  independent  [71],  [72]. 

The  implications  of  this  paradoxical  independence  on  the  TA  as  a  RV  is  that  regardless 
of  where  the  UE  is  located  within  a  TA  annulus,  the  error  can  be  modeled  with  the  same 
density  assuming  the  conditions  of  QT1  or  QT2  can  be  met.  This  is  an  important  fact 
to  establish  in  order  to  make  an  MLE  which  is  independent  of  if/  tractable.  It  is  obvious 
that  neither  tqsm  or  tlte  meet  QT1  since  the  latent,  unquantized,  RV  (Gaussian)  is  not 
bandlimited.  Fortunately,  QT2  only  requires  approximate  bandlimitation.  It  can  be  seen 
from  (7.2)  that  GSM  does  not  satisfy  QT2.  However,  from  (7.1)  it  can  be  seen  that  LTE 
does  satisfy  QT2. 

Thus,  in  addition  to  providing  consistent  results  from  TA-based  positioning,  the  tighter 
timing  alignment  in  LTE  also  allows  us  to  formulate  a  MLE  independent  of  if/  allowing  for 
tractable  analysis  and  making  a  closed  form  solution  possible. 

To  see  this  consider  the  joint  density  presented  in  the  left  pane  of  Figure  7.2.  When  the 
joint  density  is  rotated  such  that  the  if/  dimension  is  not  visible,  as  in  the  right  panel,  one 
can  observe  the  latent  normal  density.  If  the  value  of  ip  is  completely  unknown  it  would  be 
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x/cr 


(a)  pw(x,if/)  (b)  PN'(x) 

Figure  7.2.  The  joint  and  marginal  density  of  the  error  associated  with 
TA-based  positioning  is  presented.  Adapted  from  [29]. 


(7.3) 


(7.4) 


therefore  pw(x)  ~  N(0,  cr2)  regardless  of  the  shape  of  py(i//). 

Having  established  pn'(x\*I*)  =  PN'{x),  we  can  now  formulate  the  MLE  for  a  set  of  single 
distance  measurements  d  -  [d\,  rA,  •  •  • ,  (InY  from  N  distinct  eNBs  as 


p  =  argmax/^frfld)  (7.5) 

p 

where  p  =  [x,  ij]T  is  the  position  estimate  and  d  =  [d\,do,  ■ .  -  is  a  vector  of  true 

distances  such  that  dj  =  d  +  N' .  The  solution  to  this  program  for  normally  distributed 
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measurement  error  is  well-known  as  [10] 


N 

X 

1= 1 


(dj  -  di)(x  -  Xi ) 
cr}  d; 


0 


(7.6) 


N 

X 

i—  1 


(dj  -  dj)(y  -  Ljj) 
end-, 


=  0. 


(7.7) 


Solving  (7.6)  and  (7.7)  directly  involves  an  exhaustive  search  in  p.  However,  numerical 
solutions  have  been  proposed  that  have  been  shown  to  be  statistically  efficient  (e.g.,  [31]). 
A  further  difficulty  of  (7.6)  and  (7.7)  is  that  they  depend  on  the  true  distance  estimate  dj 
which  is  obviously  not  known  a  priori. 

Here,  we  adopt  two  methods  for  approximating  the  solution  to  (7.6)  and  (7.7).  In  the  first 
approach  we  approximate  the  MLE  as  [73] 


N 

p  =  argmin  V  (dj  -  ||p-p/||V 
p  ;=i 


(7.8) 


where  p,  =  [x,-,  y,]T  is  the  position  of  the  zth  eNB.  The  sum  can  easily  be  extended  to  include 
a  CeSAR  measurement  by 


2  N 

p  =  arg  min  (d'~  II  p  -  p'  ||)‘  +  V  (dt-  ||  p  -  p / 
p  777 


(7.9) 


where  p'  =  [x\  y']T  is  the  position  of  the  CeSAR  sensor. 


In  this  way,  each  term  in  the  sum  represents  the  squared  residual  error  associated  with  each 
position  in  p  given  the  distance  measurements  d.  The  p  which  minimizes  the  sum  of  the 
squared  residuals  is  taken  as  the  position  estimate  p.  This  approximation  will  be  valid  only 
for  the  case  where  each  cr,  =  cr,  Vz  and  is  thus  a  necessary  condition.  This  is  a  well-known 
technique  which  is  widely  accepted,  especially  in  the  case  where  the  error  cannot  be  exactly 
parameterized  by  a  probability  distribution  [10].  Note  that  (7.8)  and  (7.9)  do  not  depend 
on  any  dj  thus  removing  a  significant  obstacle  associated  with  (7.6)  and  (7.7);  however,  the 
solution  to  (7.8)  and  (7.9)  cannot  be  found  in  closed  form.  Instead,  numerical  means  must 
be  leveraged  which  can  still  be  computationally  expensive  [10]. 
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The  second  solution  we  leverage  takes  more  of  a  brute  force  approach  which  trades  compu¬ 
tational  complexity  for  a  solution  which  is  not  nuanced  by  idiosyncrasies  associated  with 
more  complex  approximate  methods  (e.g.,  the  non-linear  solver  associated  with  the  numer¬ 
ical  solution  to  (7.8)).  This  solution  first  computes  a  single  error  surface  over  the  tracking 
area.  Assuming  each  measurement  to  be  independent  of  the  next  it  can  be  defined  by 

N 

p(^lp)  =  f"[p(^lp).  (7.10) 

i=  1 

An  optional  equivalent  surface,  relative  to  the  solution  of  (7.6)  and  (7.7),  which  may  be 
more  convenient  can  be  expressed  as 


N 

P(<*lp)  =  ^]logp(4|p)  (7.11) 

i=  1 

where  p(J|p)  is  known  as  the  log-likelihood  function  of  d.  The  sum  in  (7.11)  can  be 
extended  to  include  a  CeSAR  measurement  so  that 

N 

p(i?|p)  =  logp(J'lp)  +^logp(i,|p).  (7.12) 

i=  1 

Because  the  value  at  each  point  in  the  error  surface  must  be  computed  individually,  the 
surface  necessarily  will  have  some  granularity  which  can  be  thought  of  as  sampling.  The 
granularity  will  vary  inversely  with  the  computational  load.  Thus,  the  higher  the  resolution 
of  the  surface,  the  higher  the  computational  load.  This  surface  is  then  exhaustively  searched 
for  the  global  maximum.  A  second  surface,  with  a  higher  resolution  and  smaller  area,  is 
then  calculated  around  this  global  maximum  in  order  to  refine  the  estimate.  The  global 
maximum  on  the  second  surface  is  then  taken  as 

p  =  argmaxp(rflp).  (7.13) 

p 

This  method,  while  computationally  costly,  will  later  be  shown  to  be  efficient  in  the  sense 
of  the  lower  bound  derived  in  Chapter  7  while,  similar  to  (7.8),  not  being  dependent  on  any 
di. 
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A  difficulty  associated  with  each  of  these  solutions  is  that  a  valid  starting  point  must  be  used 
in  order  to  avoid  the  local  maximum  trap.  Therefore,  we  assume  an  a  priori  knowledge  of 
the  general  target  location  such  that  the  local  maximum  trap  is  avoided.  In  order  to  highlight 
more  relevant  points  in  the  results  and  avoid  sources  of  error  associated  with  local  maxima 
we  initialize  each  solution  with  the  true  location  of  the  UE.  We  recognize  this  artificiality 
in  the  experimentation  while  also  noting  that  optimization  of  difficult  objectives  with  local 
maxima  is  a  well-traveled  subject  in  the  literature  and  not  the  focus  of  our  research. 

Finally,  because  the  p  generated  in  this  way  are  not  exact,  we  hereafter  refer  to  solutions 
made  via  one  of  the  two  aforementioned  methods  as  the  approximate-MLE  (AMLE). 
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CHAPTER  8: 
Results 


In  this  chapter,  we  present  results  that  support  the  previous  analysis  and  describe  the  perfor¬ 
mance  of  TA-based  positioning  with  and  without  CeSAR  augmentation.  Furthermore,  the 
ability  of  CeSAR  to  mitigate  geometric  weaknesses  in  the  network  infrastructure  is  demon¬ 
strated.  We  first  show  the  accuracy  of  TA-based  positioning  and  CeSAR  augmentation  in 
various  scenarios  using  synthetic  and  empirical  data.  Next,  we  show  the  MLE  to  be  an 
efficient  estimator  in  the  context  of  the  lower  bound  derived  in  Chapter  7. 

The  results  presented  herein  have  been  largely  previously  published  (or  are  submitted  for 
publication)  [21],  [24],  [28],  [29].  Specifically,  Section  8.1.1  is  revised  from  “Cellular 
Synchronization  Assisted  Refinement  (CeSAR):  A  Method  for  Accurate  Geolocation  in 
LTE-A  Networks”  by  John  Roth,  Murali  Tummala,  and  James  Scrofani  published  in  the 
proceedings  of  the  49th  Hawaii  International  Conference  on  System  Sciences  in  January 
2016  [24].  Section  8.1.2  is  revised  from  “Location  Privacy  in  LTE:  A  Case  Study  on 
Exploiting  the  Cellular  Signaling  Plane’s  Timing  Advance”  by  John  Roth,  Murali  Tummala, 
John  McEachen,  and  James  Scrofani  to  be  published  in  the  proceedings  of  the  Hawaii 
International  Conference  on  System  Sciences  in  January  2017  [28].  Section  8.3.2  is  revised 
from  “On  Location  Privacy  in  LTE”  by  John  Roth,  Murali  Tummala,  John  McEachen,  and 
James  Scrofani  which  has  been  submitted  for  publication  [29]. 

8.1  Accuracy  of  Timing  Advanced-Based  Positioning 

In  this  section,  we  use  synthetic  and  empirical  data  to  examine  the  achievable  accuracy 
associated  with  TA-based  positioning  and  CeSAR  augmentation. 

8.1.1  Synthetic  Results 

First,  using  only  synthetically  generated  measurements  we  evaluate  performance  in  several 
scenarios  of  interest.  Specifically,  we  investigate  performance  in  legacy  deployments, 
handover  scenarios,  and  in  heterogeneous  networks.  When  CeSAR  is  included,  no  error  is 
assumed  in  the  CeSAR  measurement  and  the  most  central  point  on  the  refined  locus  is  used 
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Figure  8.1.  Results  of  positioning  with  synthetic  data  in  a  legacy  network 
deployment  is  presented.  The  refined  estimate  is  the  result  of  CeSAR  aug¬ 
mentation.  Source:  [24], 

as  the  position  estimate.  When  CeSAR  is  not  used,  the  centroid  of  the  locus  is  used  as  the 
position  estimate.  Additionally,  sectoring  of  the  serving  cell  is  not  assumed  in  any  study. 
Excerpts  from  this  section  are  taken  from  [24]. 

Legacy  Deployments 

First,  we  present  results  in  several  different  scenarios  realized  with  entirely  synthetic  mea¬ 
surements.  In  this  section,  TA  error  is  modeled  as  uniform  tl  ~  [-78.125/2m,78.125/2m] 
and  the  target  and  sensor  are  randomly  placed  throughout  the  coverage  area  (max  distance 
«  500  m)  such  that  the  distance  from  the  PCell  is  uniform  as  is  the  angle  from  the  abscissa. 
It  additionally  imposed  that  the  sensor-UE  distance  is  >  78.125  m.  The  first  study  uses  only 
one  serving  eNB  (PCell)  in  order  to  model  performance  in  legacy  LTE  networks.  When  a 
position  estimate  is  made  with  TA  data  only  p  is  chosen  randomly  inside  the  TA  annulus 
such  that  the  polar  angle  is  uniformly  distributed  6  [0, 2 n)  and  annular  offset  \p  is  uniformly 
distributed  6  [nr  -  r/2,  nr  +  r/2].  The  results  are  presented  via  a  cumulative  distribution 
of  errors  in  Figure  8.1. 

The  low  performance  in  this  technique  can  be  explained  by  the  high  degree  of  uncertainty 
offered  by  a  large  locus.  Small  errors  are  representative  of  scenarios  when  the  TA  quantity  is 
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small  (i.e.,  the  UE  is  physically  close  to  the  eNB)  or  in  the  unlikely  scenario  that  the  estimated 
position  is  chosen  very  near  to  the  actual  target  location.  Large  errors  are  accounted  for 
by  large  TA  values  (i.e.,  the  UE  is  near  or  on  the  cell  boundary)  and  when  the  estimated 
position  is  chosen  on  the  opposite  side  of  the  annulus  as  the  true  target  location.  Of  special 
note  is  this  curve’s  very  uniform  appearance  with  the  slight  non-uniformity  accounted  for 
by  the  non-linear  shape  of  the  locus. 

The  second  curve  presented  in  Figure  8.1  contrasts  the  performance  improvements  that  can 
be  realized  through  CeSAR.  This  curve  presents  in  much  more  of  an  exponential  distribution, 
shifting  the  preponderance  of  errors  to  much  lower  values.  Here,  CeSAR  results  in  254  m 
improvement  in  the  circular  error  probable  (CEP)  70%  metric. 

Despite  significant  improvement  from  the  former  method,  notable  large  errors  are  still 
present.  These  large  errors  are  realized  when  the  intersection  between  the  circle  and  annulus 
results  in  two  separate  line  segments  (disjoint  locus)  and  the  estimated  target  location  is 
on  the  opposite  segment  from  the  actual  target  location.  Again,  larger  TAs  result  in  the 
potential  for  larger  errors,  thus  cell  size  can  be  linked  to  accuracy. 

Handover  Scenarios 

In  the  next  study,  still  in  keeping  with  legacy  network  deployments,  we  investigate  the 
performance  of  TA-based  positioning  during  handover  events.  The  handover  scenario  is 
particularly  interesting  since  two  TAs  are  issued  from  neighboring  eNBs  to  the  same  UE 
within  close  succession  of  each  other  thus  providing  additional  information  when  forming 
the  system  of  equations  used  to  generate  a  position  estimate. 

For  this  study,  we  assume  that  the  UE  is  located  on  the  cell  boundary  between  two  eNBs  as 
defined  by  N (/ucb,  cr2cb)  where  crcb  =  70  m  and  ncb  is  the  exact  cell  boundary.  This  model 
is  used  in  order  to  take  into  account  the  fact  that  handovers  do  not  always  happen  precisely 
at  cell  boundaries.  The  value  of  crcb  =  70  m  is  chosen  to  be  slightly  larger  than  measured 
errors  in  eNB  distance  measurements  (cf.  Chapter  4). 

As  can  be  seen  in  Figure  8.2,  we  see  a  significant  improvement  in  performance  both  with  and 
without  CeSAR  from  the  previous  scenario.  This  improvement  is  directly  attributable  to  the 
extra  positioning  information  associated  with  the  second  eNB.  When  this  extra  information 
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Figure  8.2.  Results  of  positioning  with  synthetic  data  in  handover  scenarios 
is  presented.  The  refined  handover  is  the  result  of  CeSAR  augmentation. 
Source:  [24], 

is  augmented  by  CeSAR  the  improvement  becomes  even  more  dramatic.  The  CEP  70% 
is  200  m  without  CeSAR  and  41  m  with  CeSAR.  Most  notable,  however,  is  the  large 
improvement  afforded  by  the  extra  information  associated  with  the  second  eNB. 

Heterogeneous  Deployments 

Motivated  by  the  results  realized  in  the  previous  section  by  including  a  TA  from  one 
additional  eNB,  we  investigate  the  achievable  performance  possible  in  heterogeneous  de¬ 
ployments.  Recall  (cf.  Chapter  4)  that  LTE  release  11+  deployments  may  include  physically 
disparate  eNBs  known  as  SCells  which  simultaneously  provide  service  to  a  single  UE.  Be¬ 
cause  there  is  no  requirement  that  the  eNBs  are  near  each  other,  each  eNB  is  responsible 
for  maintaining  timing  alignment  with  the  UE  by  issuing  separate  TAs  attributable  to  the 
respective  PCell  or  SCells  via  the  TAG  [50],  [54]. 

In  order  to  model  this  type  of  deployment,  the  sensor  and  UE  locations  are  randomly  chosen 
as  before.  The  first  SCells  positions  are  chosen  with  distribution  N(pUE,  cr2hi )  where 
HUE  =  [xue,  \)ue\T  is  the  location  of  the  UE  randomly  chosen  a  priori  and  <t/m  =  200  m. 
This  model  is  adopted  in  order  to  add  realism  to  the  simulation  since  UEs  are  more  likely 
to  be  associated  with  SCells  which  are  nearby.  Additionally,  the  SCells  will  likely  have  a 
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Figure  8.3.  The  results  of  positioning  with  synthetic  measurements  within 
a  heterogeneous  network  deployment  is  presented  when  one  to  four  SCells 
are  configured  along  with  the  PCell.  The  results  in  the  left  pane  are  from 
TA-only  positioning  while  those  in  the  right  pane  are  CeSAR  augmented. 
Source:  [24], 


smaller  coverage  area  represented  by  cr/,„.  The  results  of  varying  the  number  of  configured 
SCells  from  one  to  four  is  presented  in  Figure  8.3  without  CeSAR  in  the  left  pane  and 
with  CeSAR  in  the  right  pane.  A  maximum  of  four  SCells  is  considered  since  that  is  the 
maximum  number  of  SCells  the  standard  is  designed  to  support  (cf.  Figure  4.2). 

In  the  case  of  TA-only  positioning  the  CEP  70%  ranges  from  39.7  m  with  one  SCell 
configured  and  23.5  m  with  four  SCells  configured.  For  CeSAR  augmented  positioning  the 
CEP  70%  ranges  from  32  m  with  one  SCell  configured  to  14  m  with  four  SCells  configured. 
For  both  regular  and  CeSAR  augmented  TA-based  positioning,  this  marks  a  significant 
improvement  from  single  eNB  legacy  networks.  We  also  see  that  CeSAR  continues  to 
deliver  performance  gains  even  in  deployments  with  many  serving  eNBs  although  the 
magnitude  of  the  performance  gains  are  on  the  order  of  10  m  as  opposed  to  legacy  networks 
where  the  improvement  could  be  as  large  as  150  m.  Finally,  of  note  is  the  difference  in  the 
shape  of  the  error  distribution  between  CeSAR  augmented  and  TA-only  positioning.  The 
CeSAR  augmented  errors  appear  approximately  exponential  while  those  that  result  from 
TA-only  positioning  have  a  Rayleigh-like  shape.  Thus,  CeSAR  augmentation  will  realize 
more  small  errors  than  the  TA-only  option. 
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Summary  of  Synthetic  Results 

In  legacy  single  PCell  deployments  with  no  cell  sectoring  we  found  that  the  CEP  70% 
accuracy  was  412  m  when  only  the  TA  was  used  for  localization.  When  the  position 
estimate  was  made  during  a  handover  scenario,  the  TA-only  accuracy  improved  to  200  m 
CEP  70%.  Finally,  in  heterogeneous  networks  that  accuracy  further  improved  to  39.7  m  - 
23.5  m  for  one  to  four  SCells  configured  respectively. 

With  CeSAR  augmentation,  we  have  demonstrated  that,  in  non-sectored  cells,  a  user  could 
be  reliably  located  during  normal  legacy  intra-cell  mobility  management  to  within  158  m,  a 
254  m  improvement  over  TA-only  positioning.  Inter-cell  mobility  management  showed  an 
accuracy  of  41  m,  an  improvement  from  TA-only  positioning  of  around  159  m.  In  advanced 
heterogeneous  LTE  deployments  the  multiplicity  of  TAs  issued  to  a  target  UE  improve 
positioning  accuracy  dramatically.  Here,  CeSAR  can  deliver  excellent  performance  on  the 
order  of  14  meters  although  the  performance  gains  are  not  as  significant  as  in  legacy  network 
scenarios.39 

8.1.2  Empirical  Results 

In  this  section,  we  present  two  case  studies  conducted  in  Monterey,  CA  in  existing  LTE 
network  deployments.  In  both  cases,  real-world  TA  data  observed  in  the  network  are  used 
and  the  position  estimate  is  made  offline.  Both  scenarios,  depicted  in  Figure  8.4,  include  two 
actual  serving  eNBs  and  a  notional  sensor  if  CeSAR  augmentation  is  used.  In  both  cases, 
the  track  taken  by  the  UE  is  shown  alongside  the  infrastructure.  Scenario  A  (cf.  Figure  8.4, 
left  pane)  includes  a  UE  track  that  is  277  m  long  and  includes  73  recorded  TAs  in  the  700 
MHz  and  2000  MHz  bands.  Scenario  B  (cf.  Figure  8.4,  right  pane)  includes  a  UE  track 
that  is  830  m  long  and  includes  323  recorded  TAs  in  the  700  MHz,  1900  MHz,  and  2000 
MHz  bands.  Both  scenarios  are  conducted  in  suburban  settings  free  from  major  physical 
obstructions  like  skyscrapers  or  other  dense  urban  clutter.  Also,  in  both  scenarios,  the  UE 
is  traveling  at  «  50  km/hr.  In  the  event  that  CeSAR  augmentation  is  used,  a  notional  sensor 
is  included  as  in  Figure  8.4.  CeSAR  measurements  are  modeled  with  normal  zero-mean 
error  with  <jc  -  20  m.  In  both  scenarios,  the  position  estimate  is  calculated  via  the  AMLE 
in  (7.8)  or  (7.9). 

39This  section  has  been  revised  from  [24]. 
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Figure  8.4.  The  infrastructure  and  tracks  used  in  two  case  studies  conducted 
in  Monterey,  CA  is  presented.  Source:  [28]. 


At  the  time  of  this  study,  the  tested  network  did  not  support  physically  disparate  carrier 
aggregation.  Therefore,  simultaneous  TA  issuance  was  simulated  in  the  field  by  locking  a 
field  test  phone  to  one  eNB,  driving  the  track  depicted  in  Figure  8.4,  then  locking  the  phone 
to  a  neighboring  tower  and  driving  the  track  again.  TAs  were  elicited  and  the  phone  was 
kept  in  the  RRC  CONNECTED  state  by  continuously  sending  ping  requests  throughout  the  test 
drive. 


The  results  of  the  above  two  scenarios  are  shown  in  Figure  8.5.  In  terms  of  CEP  70°/c, 
scenario  A  was  accurate  to  240  m  and  scenario  B  was  accurate  to  295  m.  In  both  scenarios, 
CeSAR  augmentation  improved  positioning  accuracy.  The  CEP  70%  metrics  improved  after 
augmentation  to  95  m  and  157  m  respectively.  In  both  scenarios,  results  roughly  matched 
the  positioning  accuracy  predicted  in  simulation  during  a  handover  scenario  above.  This 
is  remarkable,  especially  given  that  the  network  performance  was  stretched  by  forcing  a 
connection  with  a  certain  eNB  while  traveling  outside  of  its  normal  coverage  area. 

This  study  corroborated  previous  simulation  performance  in  handover  scenarios  in  an 
existing  LTE  network  in  Monterey,  CA.  Moreover,  real-world  data  were  used  to  present  a 
realistic  picture  of  the  accuracy  possible  with  TA-only  and  CeSAR  augmented  positioning. 
CeSAR  augmentation  was  further  validated  by  demonstrating  performance  enhancements 
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Figure  8.5.  Positioning  performance  achieved  during  the  case  studies  per¬ 
formed  in  actual  network  deployments  in  Monterey,  CA.  Source:  [28]. 


of  around  150  m.40 


8.2  Empirical  CeSAR  Validation 

In  this  section,  we  evaluate  the  performance  of  CeSAR  in  terms  of  CEP  with  data  exclusively 
collected  during  experimentation.  As  before,  TA  data  are  collected  from  a  nearby  serving 
eNB  and  processed  in  accordance  with  the  aforementioned  precepts.  The  main  contribution 
of  this  experiment  is  to  introduce  real-world  CeSAR  data. 

8.2.1  Experimental  CeSAR  Setup 

As  depicted  in  Figure  8.6,  all  steps  of  the  CeSAR  method  are  tested  with  the  exception 
of  sensor-network  synchronization  which  is  assumed  a  priori.  The  observation  of  TAs  is 
conducted  as  before  with  a  field  test  phone.  Observation  of  uplink  bursts  is  conducted 
on-site  in  SDR.  Finally,  the  sensor-UE  distance  estimate  is  made  as  before  in  the  MFE  with 
the  assumption  that  the  CeSAR  error  is  normally  distributed. 

Of  these  steps,  observation  of  uplink  bursts  is  the  most  involved  and  represents  the  most 
significant  contribution  made  by  this  experiment,  which  separates  it  from  previous  experi¬ 
mentation  where  CeSAR  ranging  data  are  synthesized.  The  sensor  hardware  implementation 

40This  section  has  been  revised  from  [28]. 
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Figure  8.6.  The  CeSAR  algorithm  in  field  experimentation 


is  as  presented  in  Section  5.2  (cf.  Figure  5.2)  and  the  overall  system  setup  is  as  shown  in 
Figure  8.7.  A  single  USRP  was  used  to  transmit  and  receive  a  simulated  UE  uplink  frame. 
The  time-of-flight  of  the  frame  was  measured  and  used  to  estimate  the  sensor-UE  distance. 
The  transmit  antenna  was  placed  in  the  transmit  location  and  the  USRP  was  collocated 
with  the  receive  antenna  at  the  receive  location.  The  transmit  antenna  was  connected  to  the 
USRP  via  a  150  m  coaxial  cable.  Additionally,  several  amplifiers  were  used  in  the  system 
to  overcome  losses  associated  with  propagation  along  the  coaxial  cable  and  through  free 
space.  The  link  budget,  along  with  a  detailed  system  diagram  is  given  in  Appendix  H. 

A  single  USRP  with  synchronized  TX/RX  chains  was  used  due  to  difficulties  associated 
with  synchronizing  physically  disparate  USRPs.  When  synchronizing  USRPs  via  GPS 
disciplined  oscillators  the  best  achievable  synchronization  had  a  standard  deviation  of 
«  40  jus.  This  magnitude  of  synchronization  mismatch  translated  to  12  km  and  was  judged 
untenable  for  the  application.  Conversely,  synchronization  among  TX/RX  chains  resident 
on  the  same  SDR  daughterboard  resulted  in  errors  of  no  more  than  40  ns.  Thus,  intra-device 
synchronization  was  used. 


Figure  8.7.  The  experimental  CeSAR  system  setup 
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To  Scale 


Figure  8.8.  The  field  CeSAR  test  site  depicted  above  is  located  in  Mon¬ 
terey,  CA.  Distances  inside  the  dashed  box  are  drawn  to  scale;  however,  the 
relationship  of  the  eNB  to  the  local  test  site  is  not. 

The  time-of-flight  calculation  was  made  by  transmitting  a  binary  phase-shift  keyed  (BPSK) 
pseudo-noise  (PN)  sequence  and  matched  filtering  the  received  signal.  The  PN  sequence 
was  generated  by  a  Galois  linear  feedback  shift  register  (LFSR)  of  order  12  (4095  chips 
long).  This  length  was  chosen  as  a  trade-off  between  maximizing  the  processing  gain 
and  minimizing  the  processing  time.  The  signal  was  generated  with  the  GNU  Radio 
software  platform41.  While  an  uplink  frame  in  LTE  would  be  modulated  by  orthogonal 
frequency-division  multiplexing  (OFDM),  the  choice  of  BPSK  modulation  can  be  seen  as  a 
conservative  choice  when  estimating  performance  since  it  will  be  more  affected  in  a  fading 
channel  than  its  OFDM  realization.  The  BPSK  signal  was  transmitted  at  915.1  MHz  in 
order  to  simulate  cellular  frequency  propagation  characteristics  while  still  operating  in  an 
unlicensed  band.  The  sample  rate  of  the  N210  was  set  to  the  maximum  allowable  rate,  25 
MSps.  This  sample  rate  maximized  the  final  resolution  of  the  scheme  to  1/25  MSps  =  40 
ns  which  translates  to  roughly  12  m. 

The  field  test  site  is  shown  in  Figure  8.8.  Due  to  its  the  location,  there  was  only  one  available 

41  See  Appendix  I  for  the  python  code  used  to  synchronize  the  TX/RX  chains  and  generate  the  transmitted 
signal. 
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serving  eNB.  This  eNB  is  shown  in  Figure  8.8  (not  to  scale)  three  quarters  of  a  kilometer 
south  of  the  test  site.  The  sensor  remained  stationary  throughout  the  experiment  and  the 
target  was  moved  to  each  of  three  locations:  A,  B,  and  C.  At  each  location  the  sensor 
measured  the  UE-sensor  distance  as  outlined  above  100  times  and  received  TAs  from  the 
serving  eNB.  Measurements  were  validated  by  ensuring  the  value  of  the  correlation  peak 
resulting  from  the  matched  filter  was  sufficiently  high.  Only  one  measurement  taken  at  site 
A  was  a  statistical  outlier  and  discarded.  101,  74,  and  80  TAs  were  collected  at  sites  A,  B, 
and  C  respectively  after  statistical  outliers  were  discarded.  The  operating  bands  used  while 
these  TAs  were  issued  were  700  MHz  and  2000  MHz.  As  previously  mentioned,  the  eNB 
bias  was  assumed  a  priori  and  taken  into  account  when  estimating  d\.  The  distribution  of 
the  TA  and  CeSAR  measurements  are  presented  in  box  plots  in  Figure  8.9. 

We  note  that  this  particular  experimental  setup,  by  the  nature  of  physical  constraints  (e.g.,  the 
available  serving  eNBs  and  the  length  of  the  coaxial  cable),  is  an  example  of  a  pathological 
geometry  (cf.  Chapter  6).  In  these  experiments  crTA  «  68  m  for  TA  data  and  crsen  ~  23  m 
for  sensor  data.  Therefore,  assuming  worst  case  cr,  the  test  sites  should  be  at  least  3crTA 
off  the  symmetry  directrix  described  by  the  sensor  and  eNB  to  prevent  measurement  bias, 
however,  the  length  of  the  coaxial  cable  would  not  allow  this,  thus  forcing  pathology  (i.e., 
bias)  in  the  setup.  The  bias  was  manifested  here  due  to  the  circles  representing  distance 
estimates  not  intersecting  (cf.  Chapter  6).  This  resulted  in  a  preponderance  of  the  estimates 
lying  on  the  directrix.  Thus,  because  the  geometry  is  pathological  it  cannot  be  compared  to 
the  lower  bound  previously  derived. 

8.2.2  Empirical  CeSAR  Results 

The  measurements  were  used  offline  to  calculate  the  position  estimate  and  the  results  are 
presented  in  Figure  8.10.  Because  only  two  anchor  points  are  used  during  the  calculation 
(i.e.,  the  sensor  and  the  eNB),  the  system  of  equations  represented  by  d  is  underdetermined. 
Additionally,  the  proximity  of  the  sites  to  the  sensor  makes  the  geometry  pathological  as 
described  in  Section  6.3,  thus  the  estimate  is  found  with  the  residual  error  method  (cf. 
(7.8)).  The  results,  in  terms  of  CEP  70%,  were  53.6  m,  77.3  m,  and  57.8  m  for  locations 
A,  B,  and  C  respectively.  The  mean  values  were  60.7  m,  74.3  m,  and  61.6  m  for  sites  A,  B, 
and  C  respectively.  The  curves  show  that  the  vast  majority  of  the  errors  are  small,  however, 
a  significant  tail  is  also  observed  indicating  infrequent,  but  large  errors.  Regardless,  a 
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(a)  CeSAR 

Figure  8.9.  Box  plots  of  empirical 


(b)TA 

CeSAR  validation  measurements 


level  of  accuracy  which  may  be  able  to  meet  the  FCC’s  E-911  mandate  is  demonstrated. 
Considering  that  in  this  experiment  d  is  underdetermined  (two  equations),  CeSAR  presents 
as  a  viable  option  to  satisfying  federal  standards42. 


8.3  Efficiency  in  Timing  Advanced-Based  Positioning 

An  estimator  is  said  to  be  efficient  if  it  asymptotically  attains  the  CRLB  [48].  In  other 
words,  an  efficient  estimator  will  be  able  to  attain  the  CRLB  with  an  infinite  number  of 
corrupted  observations.  In  this  section,  we  show  that  TA-based  location  estimation  can  be 
efficient  and  demonstrate  the  maximum  achievable  bounds  for  this  type  of  positioning  with 
synthetic  and  real-world  TA  data.  Note  that  since,  for  LTE,  r  «  1 ,5<x  Sheppard’s  correction 
is  used  when  calculating  the  CRLB43. 

8.3.1  The  Effect  of  N  and  the  NLoS  Channel 

In  the  first  study,  we  position  notional  eNBs  on  a  scaled  circle  centered  around  the  target 
UE  as  in  Figure  8.11.  Since  the  positioning  accuracy  is  dependent  only  on  the  angular 
geometry  and  not  the  target-eNB  distance  (cf.  (6.5)),  the  radius  of  the  circle  is  some 

42The  FCC’s  E-911  mandate  requires  that  Pr[||  po  -  p  ||<  100m]  =  0.67  and  Pr[||  po  -  p  ||<  300m]  = 
0.95  [4],  [5], 

43Refer  to  the  discussion  of  Theorem  1  in  Chapter  6  for  more  information  on  the  necessity  of  this  when 
showing  the  efficiency  of  an  estimator  using  quantized  observations  of  a  RV. 
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Figure  8.10.  CDF  of  positioning  with  empirical  CeSAR  measurements 

arbitrary  distance  r.  Each  eNB  has  a  fixed  angular  separation  of  2n/(Nmax  +  1)  from 
the  next  as  in  Figure  8.11.  The  study  is  repeated  for  a  different  N  e  {3,9}  such  that  the 
angular  separation  9  =  2n/(Nmax  +  1)  is  held  constant  and  the  number  of  eNBs  N  is  varied 
up  to  Nmax  =  9.  When  positioning  is  augmented  with  CeSAR,  the  sensor  is  placed  at 
6  =  -n(Nmax  -  N) I {Nmax  -  1).  Heuristically,  the  CeSAR  angle  can  be  seen  as  being  placed 
7i  radians  from  the  center  of  the  total  angle  subtending  all  eNBs.  In  order  to  show  the  effect 
of  an  NLoS  channel,  each  eNB  is  optionally  contaminated  with  NLoS  error.  The  overall 
ratio  of  eNBs  contaminated  by  NLoS  error  is  given  by  £  (the  notation  indicates  CeSAR 
is  used).  Here,  NLoS  error  is  modeled  as  6{d  -  /j)  in  accordance  with  the  channel  model 
presented  in  Chapter  2  [7],  [27],  [30].  For  these  simulations  =  /i  =  50  m,  Vi.  The  results 
of  Monte  Carlo  trials  with  each  N,  with  and  without  CeSAR,  and  for  different  £,  are  shown 
in  Figure  8.12.  In  this  case,  position  estimates  are  calculated  with  the  AMLE  presented  in 
(7.11)  and  (7.12). 

The  left  pane  of  Figure  8.12  first  demonstrates  the  efficiency  of  the  AMLE  due  to  its 
congruence  with  the  CRLB44.  We  also  see  that  for  these  geometries,  RMSE  accuracies 
from  «70  m  to  «35  m  are  possible.  It  is  evident  that,  at  first,  increasing  N  realizes 
significant  gains  which  become  less  significant  as  N  becomes  large  relative  to  Nmin .  As  C  is 

44The  CRLB  here  and  in  the  subsequent  study  have  been  adjusted  using  Sheppard’s  correction  for  quantized 
RVs  such  that  cr2CRLB  =  +  r2/12. 
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Figure  8.11.  The  experimental  setup  for  real-world  TA  data 

increased,  as  expected,  performance  decreases  and  the  channel  model  prevents  an  unbiased 
estimate;  hence,  the  CRLB  is  not  attained.  However,  it  is  notable  that  even  in  heavy  NLoS 
environments  (£  =  2/3)  RMSE  accuracies  of  ~95  m  to  «50  m  are  possible. 

The  right  pane  of  Figure  8.12  shows  the  performance  as  RMSE  with  and  without  CeSAR 
augmentation  for  two  levels  of  NLoS  contamination  In  both  cases  CeSAR  provides 
modest  gains  of  approximately  5  m.  When  NLoS  contamination  is  increased  to  £  =  1/3, 
performance  decreases  overall  by  10  to  20  m  and  the  relative  performance  increase  of 
CeSAR  remains  constant.  For  both  cases  of  £,  the  modest  increase  in  performance  is 
explained  by  the  minimal  effect  of  change  on  the  angular  geometry  when  the  CeSAR  sensor 
is  included.  Because  the  sensor  is  placed  roughly  parallel  to  the  mid-line  axis  of  the  eNBs, 
CeSAR  has  a  limited  contribution  (cf.  (6.5)).  We  will  show  in  the  next  experiment  how  the 
sensor  can  be  placed  in  order  to  maximize  its  effect. 

Finally,  note  that  in  both  panes  the  magnitude  of  location  accuracy  demonstrated  is  well 
under  that  of  r.  To  understand  this,  first  consider  the  case  when  N  =  1  and  when  the 
eNB  can  perfectly  determine  the  UE  distance.  Here,  the  error  in  the  distance  estimate  is 
minimized  when  p  is  chosen  at  the  middle  of  the  TA  annulus  such  that  the  error  is  uniform, 
1A  ~  [-r/2,  r/2].  From  this  it  can  be  shown  that  the  associated  mean  error  is  ~  19  m 
and  the  associated  RMSE  is  ~  22  m.  Thus,  the  demonstrated  accuracy  is  well  above  the 
minimum  distance  estimation  accuracy.  However,  we  also  note  that,  assuming  no  restriction 
on  Amax,  it  is  conceivable  to  obtain  RMSE  accuracy  lower  that  22  m  when  GDoP  <  1  (cf. 
Chapter  6). 


92 


(a)  (b) 

Figure  8.12.  The  performance  of  the  TA-based  MLE  in  various  levels  of  NLoS 
contamination  £  with  optional  CeSAR  augmentation  (£c).  Source:  [74], 

8.3.2  The  Effect  of  Infrastructure  Geometry 

We  now  change  the  experimental  setup  to  that  shown  in  Figure  8. 13  in  order  to  examine  the 
efficiency  of  the  AMLE  with  real-world  TA  data  and  to  highlight  the  capacity  of  CeSAR  to 
negate  poor  GDoP  effects.  In  all  studies,  there  are  N  =  3  eNBs  arranged  on  a  circle  centered 
on  the  UE  of  some  radius  r.  The  eNBs  all  share  an  angular  separation  of  6.  When  the 
CeSAR  sensor  is  used,  it  is  positioned  at  6  =  3/r/4  also  on  the  same  circle  with  radius  r .  For 
each  scenario  a  different  angular  separation  between  the  eNBs  6  e  { 7r / 1 0,  3n/20,  n/5,  7t/4} 
is  used.  Note  that  6  starts  off  small  such  that  the  eNBs  are  tightly  clustered  and  share  a 
similar  angle  to  the  UE.  At  0max  =  tt/4  the  third  and  first  eNB  are  separated  by  26  =  n/ 2 
and  the  eNBs  are  more  dispersed  than  at  6mm  =  7r/10.  Because  in  an  actual  LTE  network 
deployment  the  number  of  serving  eNBs  and  cr  do  not  vary  significantly,  here  we  show 
positioning  accuracy  as  a  function  of  infrastructure  geometry  by  iterating  through  the  various 
values  of  6.  This  experiment  is  conducted  with  both  synthetic  and  real-world  data.  For 
synthetic  TA  data,  in  line  with  field  measurements  presented  in  Chapter  4  [21],  the  observed 
cr  «  50  meters  for  all  serving  eNBs.  Also  in  accordance  with  Chapter  7,  the  latent  data 
are  quantized  by  r  =  78.125  meters  before  producing  a  distance  estimate  via  (7.1 1).  When 
the  real-world  data  are  augmented  with  CeSAR,  the  CeSAR  error  used  is  the  same  that  was 
generated  during  the  Empirical  CeSAR  validation  presented  in  Section  8.2.  Additionally, 
the  same  AMLE  as  was  used  in  the  previous  experiment  is  also  used  here. 


93 


UE 


Figure  8.13.  The  experimental  setup  for  all  real-world  TA  data.  Source:  [29]. 

The  results  of  these  studies,  with  and  without  CeSAR  augmentation,  are  presented  in  Fig¬ 
ure  8.14  alongside  the  theoretical  lower  bound  derived  in  Chapter  7  for  each  6.  Additionally, 
for  each  6 ,  real-world  and  synthetic  data  are  used.  First,  we  observe  close  agreement  with 
the  results  and  the  theoretical  lower  bound  for  both  synthetic  and  real-world  data  further 
validating  the  analysis  and  the  efficiency  associated  with  the  AMLE.  Second,  we  see  close 
agreement  between  the  simulated  data  and  real-world  data.  This  agreement  validates  as¬ 
sumptions  we  have  made  regarding  the  nature  of  the  data  in  general  which  follow  from  the 
theory  of  quantized  random  variables. 

Note  the  trend  of  localization  accuracy.  When  6  is  small  and  CeSAR  is  not  used  to 
augment  the  position  estimate,  the  RMSE  is  relatively  high.  However,  as  6  increases  to 
its  maximum  value,  the  RMSE  decreases.  This  agrees  with  the  trend  expected  given  in 
(6.5).  Thus,  the  existing  network  geometry  is  seen  as  a  strong  influence  on  the  positioning 
performance.  In  this  study,  the  accuracy  varies  on  the  order  of  50  meters  depending  on 
the  infrastructure  layout.  However,  when  the  CeSAR  sensor  is  included  and  strategically 
placed,  the  dependence  of  localization  accuracy  on  network  geometry  can  be  essentially 
negated.  This  illustrates  one  of  the  main  strengths  of  CeSAR  enumerated  in  Section  8.2 
in  mitigating  the  effects  of  poor  network  geometry.  The  strategy  used  to  maximize  the 
geometric  effect  of  CeSAR  is  to  place  the  sensor  as  orthogonal  to  the  remaining  eNB  angles 
as  possible.  Finally,  we  demonstrate  with  real  and  synthetic  data  that  RMSE  accuracies  on 
the  order  of  40  meters  are  possible  which  agrees  with  previous  studies. 

Through  the  two  studies  presented  here,  we  have  shown  the  AMLE  to  be  efficient  relative 
to  the  CRLB.  We  have  also  demonstrated  theoretical  accuracies  on  the  order  of  tens  of 
meters,  shown  how  accuracy  is  affected  in  NLoS  scenarios,  for  various  N,  and  demon- 
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Figure  8.14.  The  results  of  the  numerical  studies  for  constant  N  in  terms 
of  RMSE  are  presented  in  this  figure.  Results  realized  from  simulated  and 
real-world  error  data  are  presented.  Source:  [29]. 


strated  CeSAR’ s  resilience  in  network  infrastructure  where  geometry  negatively  affects 
precision.45 


45This  section  has  been  revised  from  [29]. 
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CHAPTER  9: 
Conclusion 


In  this  work,  we  have  evaluated  the  TA  parameter  as  a  means  to  position  estimation  in  cellular 
networks.  This  investigation  has  shed  light  on  the  TA  both  as  a  security  vulnerability  and 
under-leveraged  network  parameter  alike.  Additionally,  we  showed  how  more  information 
can  be  extracted  from  the  TA  in  order  to  provide  a  refined  estimate  through  the  CeSAR 
method. 

The  investigation  was  conducted  through  protocol  analysis,  statistical  analysis,  simulation, 
and  field  experimentation.  The  method  of  evaluation  began  with  protocol  analysis  where  it 
was  found  that  TA-based  geolocation  and  a  method  of  refinement,  via  CeSAR,  was  possible. 
Next,  the  position  estimate  as  gleaned  from  the  TA  was  statistically  analyzed  in  order  to  de¬ 
termine  the  feasibility,  in  the  sense  of  accuracy,  of  the  method.  Significant  statistical  findings 
led  to  simulations  under  various  scenarios  of  interest  such  as  legacy  network  deployments, 
handover  scenarios,  and  heterogeneous  network  deployments.  Next,  field  experimentation 
was  conducted  in  real-world  network  deployments.  These  experimentation  results  uncov¬ 
ered  parameters  associated  with  real-world  TA  issuance  such  as  error  distribution  shape  and 
statistics.  These  real-world  errors  were  used  in  simulations  to  demonstrate  the  statistical 
efficiency  of  TA-based  positioning  and  further  investigate  performance.  Finally,  CeSAR 
was  also  investigated  in  a  real-world  wireless  channel  in  an  SDR  testbed. 

9.1  Significant  Contributions 

The  results  of  this  work  have  made  several  notable  contributions.  Specifically,  those 
contributions  include  protocol  analysis  leading  to  the  CeSAR  refinement  method,  framing 
the  TA  as  a  quantized  random  variable  to  derive  a  MLE  and  corresponding  lower  bound  on 
positioning  error,  and  extensive  experimentation,  which  included  field  data,  that  validated 
analytical  results. 
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9.1.1  Cellular  Synchronization  Assisted  Refinement 

The  contribution  of  the  CeSAR  method  was  realized  from  an  in-depth  analysis  of  the  LTE 
protocol.  In  this  analysis,  it  was  discovered  how  the  TA  value  could  also  be  passively 
leveraged  to  find  the  UE  distance  from  a  local  sensor.  When  combined  with  the  traditional 
eNB-UE  distance,  which  is  more  explicit  in  a  TA,  this  information  added  a  crucial  dimension 
to  the  system  of  equations  otherwise  typically  used  in  TA-based  positioning.  The  protocol 
was  also  used  to  show  that  the  observation  needed  in  CeSAR  was  feasible  without  the  need 
to  bypass  encryption  making  the  contribution  of  CeSAR  even  more  potent.  A  corollary  of 
CeSAR  was  that  the  reconfigurable  nature  of  the  method  also  allowed  the  user  to  mitigate 
problems  associated  with  GDoR 

CeSAR  was  framed  as  both  a  security  vulnerability  and  a  network  performance  multiplier. 
From  the  perspective  of  a  security  vulnerability,  the  CeSAR  operator  would  be  a  third  party 
extra-network  operator.  It  was  shown  how  this  operator  could  locate  a  target  reasonably 
accurately  with  a  low  chance  of  detection  since  the  method  is  entirely  passive.  Conversely, 
from  a  network  perspective,  the  method  was  shown  to  be  a  performance  multiplier  since, 
in  contrast  to  current  positioning  protocols  (cf.  LPP),  it  is  passive  and  does  not  introduce 
additional  network  traffic  in  developing  a  position  estimate. 

9.1.2  Statistical  Analysis  of  the  Timing  Advance 

The  analysis  of  the  TA  first  began  in  the  LTE  protocol  where  TA  behavior  such  as  uncertainty, 
issuance  frequency,  and  reasons  for  issuance  were  investigated.  Once  the  TA  was  found  as  a 
tenable  means  for  positioning,  it  was  next  analyzed  statistically  by  casting  it  as  a  quantized 
RV.  This  was  the  impetus  for  several  important  ideas. 

First,  it  was  shown  in  Theorem  1,  that  regardless  of  the  target  position  within  a  TA  annulus 
ifj,  the  latent  normal  error  distribution  could  be  used  to  model  the  associated  error.  This 
is  significant  since  the  exact  observed  error  distribution  is  discrete,  making  further  useful 
analysis  untenable.  However,  due  to  the  result  of  Theorem  1,  an  exact  MLE  for  TA-based 
positioning  was  shown  to  be  equivalent  to  the  MLE  for  normally  distributed  error.  A  direct 
and  significant  consequence  of  the  MLE,  which  was  expressible  in  closed  form,  was  a  lower 
bound  on  the  RMSE  of  the  TA-based  position  estimate. 

While  the  MLE  was  significant,  we  noted  that  it  was  dependent  on  information  not  likely 
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known  a  priori  and  levied  a  heavy  computational  burden  to  evaluate.  Therefore,  an  AMLE 
was  developed  to  demonstrate  efficiency  in  TA-based  positioning.  The  efficiency  was  shown 
with  both  simulated  and  real-world  TA  data.  Demonstrable  efficiency  then  allowed  us  to 
use  the  lower  bound  to  predict  asymptotic  behavior  of  TA-based  MLE  positioning. 

Also,  notable  was  the  comparison  of  the  statistics  of  the  TA  in  GSM  versus  LTE.  We  showed 
that,  under  certain  assumptions,  Theorem  1  did  not  apply  to  the  TA  in  GSM  whereas  it 
does  in  LTE.  This  was  significant  because  it  shows  that  the  tighter  alignment  required  in 
LTE  ultimately  also  steered  the  protocol  around  a  statistical  corner  where  not  only  is  better 
accuracy  possible,  but  the  accuracy  will  be  consistent  regardless  of  the  UE  position  within 
the  TA  annulus.  In  contrast,  this  consistency  cannot  be  expected  in  GSM  and  the  accuracy 
of  the  position  estimate  will  show  strong  dependence  on  the  annular  offset. 

9.1.3  Field  Experimentation 

The  first  goal  of  field  experimentation  was  to  understand  how  the  TA  behaves  in  the  wild 
in  order  to  develop  a  better  TA  model  in  simulation.  To  this  end,  TAs  were  collected  in 
four  cities  spanning  the  east  and  west  coasts  of  the  United  States.  TAs  were  observed  in 
real-world  network  deployments  in  Baltimore,  MD,  Annapolis,  MD,  San  Diego,  CA,  and 
Monterey,  CA.  The  TAs  were  observed  in  environments  spanning  suburban  to  dense  urban 
environments,  across  several  bands,  and  for  stationary  and  moving  UEs.  This  allowed  us  to 
validate  in  situ  that  the  LTE  TA  was  issued  frequently  enough  for  a  positioning  application 
and  that  the  associated  error  statistics  afforded  an  accurate  estimate.  Observation  of  error 
statistics  allowed  us  to  build  a  realistic  LTE  TA  error  model  suitable  for  use  in  simulation 
that  takes  into  account  channel  type.  We  were  also  able  to  validate  with  field  data  the 
analytically  derived  Gaussian  equivalency. 

As  stated  in  Chapter  2,  most  previous  TA-based  studies  in  the  literature  made  two  critical 
assumptions  about  TA  behavior:  that  the  additional  error  introduced  by  the  TA  was  uniform 
and  that  error  was  independent  of  the  UE  location  within  the  TA  annulus.  Those  studies 
that  did  use  real-world  TAs  were  not  focused  on  evaluating  the  TA  per  se.  Our  extensive 
field  experimentation  validated  the  assumption  of  the  uniformity  of  the  error,  however,  we 
also  showed  that  the  model  is  better  served  as  normal  since  the  error  associated  with  the 
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eNB’s  estimate  of  the  UE  distance  is  dominant  relative  to  the  annular  rounding  in  LTE46. 
Furthermore,  we  validated  the  second  assumption  of  the  independence  of  the  error  model 
with  the  UE  annular  offset  if/  both  through  analysis  and  field  experimentation. 

Finally,  our  field  experimentation  with  CeSAR  in  conjunction  with  real-world  TA  values 
lent  validity  to  the  simulated  results  and  showed  that  an  efficient  position  estimate  could  be 
made  when  CeSAR  was  leveraged  to  improve  the  position  estimate.  Also  notable  is  that 
we  demonstrated  the  achievable  performance  inside  a  real-world  LTE  network  deployment 
with  entirely  empirical  data. 

9.2  Future  Work 

This  work  presented  contributions  which,  when  extended,  offer  the  opportunity  for  further 
exploration.  Specifically,  we  suggest  extension  of  this  work  in  four  areas:  three  dimensional 
positioning,  uplink  observation  modeling,  heterogeneous  network  observation,  baseband 
processor  performance  evaluation,  and  studying  the  use  of  the  C-RNTI  to  best  anonymize 
transmissions. 

9.2.1  Positioning  in  R3 

Here  we  propose  further  work  which  seeks  to  provide  a  position  estimate  in  three  dimensions. 
In  dense  urban  environments  the  UE  is  not  always  at  ground  level  due  to  mobility  in 
skyscrapers,  high  rises,  and  other  urban  clutter.  Thus,  a  TA-based  position  estimate  in  R2 
may  result  in  significant  error  for  a  UE  which  is  located  high  above  ground  level. 

Including  a  CeSAR  sensor,  particularly  at  the  base  of  a  structure  in  which  a  UE  may 
be  located,  could  have  two  potential  benefits  which  are  similar  to  advantages  of  CeSAR 
explored  in  R2  in  this  work.  First,  and  most  obvious,  is  that  adding  an  extra  dimension  to 
the  position  estimate  will  always  improve  accuracy  (assuming  the  error  associated  with  that 
measurement  is  at  least  as  good  as  the  measurements  currently  defining  the  existing  system 
of  equations).  Second,  if  a  UE  is  suspected  to  be  in  a  particular  tall  structure,  placing 
the  CeSAR  sensor  at  the  bottom  of  the  structure  realizes  an  approximately  orthogonal 

46This  is  another  intuitive  but  more  general  way  of  stating  the  necessary  conditions  for  Theorem  1  and  QT2 
to  apply. 
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measurement  relative  to  the  UE-infrastructure  geometry.  As  seen  in  this  work,  this  will 
minimize  the  effects  associated  with  GDoP. 

9.2.2  Uplink  Frame  Observation  Modeling 

In  this  work,  uplink  frame  observation  was  done  with  a  BPSK  PN  sequence  and  a  matched 
filter.  In  a  realistic  application,  the  uplink  burst  will  be  transmitted  after  further  being 
OFDM  modulated.  OFDM  transmissions  will  be  more  robust  in  a  fading  channel  and  thus 
have  the  potential  to  improve  the  performance  of  CeSAR  augmentation.  Furthermore,  the 
PN  sequence  used  was  optimized  to  improve  correlation  performance  via  a  FFSR.  Real- 
world  FTE  frames  will  not  necessarily  have  these  favorable  correlation  characteristics,  thus 
the  resulting  correlation  will  not  be  as  exact. 

Specifically,  the  theory  associated  with  developing  an  optimal  detector  of  the  UE  frame 
(e.g.,  the  Neyman-Pearson  detector)  would  significantly  complement  the  CeSAR  method 
and  provide  further  insight  into  expected  real-world  performance.  Of  particular  interest 
would  be  leveraging  the  cyclic  prefix  and  regular  signals  with  specific  periodic  transmissions 
such  as  UE-generated  pilot  tones  to  improve  detection. 

9.2.3  Heterogeneous  Network  Ecology 

At  the  time  of  this  writing  the  author  is  not  aware  of  any  fully  deployed  heterogeneous 
network  in  the  United  States.  Therefore,  in  this  work,  performance  in  the  presence  of  phys¬ 
ically  disparate  carrier  aggregation  was  evaluated  either  entirely  in  simulation  or  empirical 
data  were  collected  from  individual  eNBs  online  then  combined  offline  in  post  processing 
to  mimic  a  heterogeneous  network  deployment. 

In  the  near  future  it  is  likely  that  LTE  release  11  characteristics  will  begin  to  make  an 
entrance  in  the  currently  deployed  architecture.  Studying  the  behavior  of  the  TA  in  a  real- 
world  heterogeneous  implementation  would  be  invaluable.  In  particular,  of  interest  would 
be  the  statistics  of  TA  error  associated  with  SCells,  whether  those  statistics  are  similar 
to  the  PCell  statistics,  and  the  use  of  these  errors  in  case  studies  to  validate  performance 
characteristics. 
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9.2.4  Effect  of  the  Baseband  Processor 

In  this  study  TAs  were  issued  to  and  observed  by  two  different  test  phones  both  operating 
with  the  Qualcomm  Snapdragon  chipset.  A  comprehensive  statistical  study  of  the  TA  in 
conjunction  with  different  chipset  vendors  and  versions  would  be  of  interest.  Among  general 
chipsets  available  on  the  market,  the  Samsung  Exynos  and  Qualcomm  Snapdragon  are  the 
most  pervasive  and  would  provide  a  starting  point  in  terms  of  the  survey.  Within  these 
two  chipsets  evaluating  different  versions  would  also  be  of  interest.  Ultimately,  building  an 
understanding  of  how  TA-based  positioning  varies  with  chipset  would  be  valuable. 

9.2.5  Vulnerability  in  the  LTE  Software  Address  Space 

The  LTE  software  address  space  was  presented  in  this  work  as  a  weak  component  of  a  LPPM. 
To  this  end  it  serves  to  anonymize  transmissions  sent  to  a  specific  UE  as  the  C-RNTI  stands 
in  as  a  software  address  in  place  of  the  permanent  address  (IMSI)  assigned  to  the  UE. 
Evaluating  the  ability  to  link  a  specific  user  to  a  C-RNTI  would  be  of  particular  interest. 
Methods  that  could  be  leveraged  may  include  C-RNTI  chaining  and  deanonymization 
attacks. 

C-RNTI  chaining  is  a  method  of  UE  attribution  to  a  C-RNTI  that  follows  that  user  through 
initial  network  negotiation.  By  observing  the  initial  C-RNTI  issuance  and  then  following 
the  user  as  different  C-RNTIs  are  issued,  a  valid  UE  to  C-RNTI  mapping  can  theoretically 
be  maintained.  As  discussed  in  Chapter  2,  several  methods  have  proven  effective  at  linking 
anonymous  data  to  specific  users.  Evaluating  their  efficacy  in  the  LTE  software  address 
space  would  be  of  interest  both  in  simulation  and  in  real-world  network  deployments.  By 
evaluating  the  inherent  vulnerability  in  the  C-RNTI  anonymization  schema,  recommenda¬ 
tions  to  improve  the  method  in  the  context  of  optimal  C-RNTI  lease  time  and  initial  C-RNTI 
issuance. 
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APPENDIX  A: 

Histograms  Representing  the  Error  Associated  with 
TA-Based  Distance  Estimation 
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Figure  A.l.  Location  A  error  histograms  are  presented  in  this  figure.  Loca¬ 
tion  A  is  characterized  as  a  dense  urban  environment.  Adapted  from  [21], 
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Figure  A. 2.  Location  B  error  histograms  are  presented  in  this  figure.  Loca¬ 
tion  B  is  characterized  as  a  dense  urban  environment.  Adapted  from  [21], 
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Figure  A. 3.  Location  C  error  histograms  are  presented  in  this  figure.  Loca¬ 
tion  B  is  characterized  as  a  dense  urban  environment.  Adapted  from  [21], 
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Figure  A. 4.  Location  D  error  histograms  are  presented  in  this  figure.  Loca¬ 
tion  D  is  characterized  as  a  suburban  environment.  Adapted  from  [21], 
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APPENDIX  B: 

Proof  of  the  Lower  Bound  for  an  Unbiased  Estimator 


In  this  section,  we  provide  the  proof  of  the  relationship  described  by  (6.2)  and  (6.1).  The 
derivation  is  adapted  from  [75]. 

Definition  Al:  An  admissible  estimate  is  the  estimation  of  a  parameter  on  which  obser¬ 
vations  of  a  RV  depend  such  that  the  support  of  the  RV  density  does  not  depend  on  the 
parameter  to  be  estimated. 

Theorem  Al:  Suppose  X  -  {Xi,  AS, . . . ,  X,y }  are  a  set  of  observations  of  the  RV  x  which 
is  parameterized  by  A  and  A(X)  is  an  unbiased  estimator  of  A.  Then 


E{(d(X)-d)2}>-E 


d 2  logp(X|d) 

2 


if  A(X )  constitutes  an  admissible  estimate. 

Proof :  By  definition  A(X)  is  an  unbiased  estimator  so  the  expected  value  of  the  estimate  is 
given  by 

I  A(X)p(X\A)dx  =  A  (B.2) 

J  a 

where  the  limits  of  the  definite  integral  [a,  b]  span  the  support  of  p(X|/l).  Next  taking  the 
derivative  of  both  sides  w.r.t.  A 


A(X)p(X\A)dx  =  1 


and  from  Leibniz’s  rule 


/b  C\  0  7  Q  Cl 

—A(X)p(X\A)dx  +  —  A(b)p(b\A)  -  ^A(a)p(a\A)  =  1  (B.4) 
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but,  by  Definition  1,  the  latter  two  summands  evaluate  to  zero  since 


Therefore,  we  have 


/ 


da 

dA 

db 

dA 


d 


=  0 


0. 


A(X)—p(X\A)dx=l 

dA 


where  we  have  dropped  the  limits  of  the  integral  for  convenience. 

Lemma  Al:  For  an  admissible  estimate  of  the  parameter  A 

df  f  d 

—  p(x\ A)dx  =  /  —p(x\A)dx  =  0. 

Proof'.  It  follows  from  Definition  1  and  Leibniz’s  rule  that 


d  f  f  d 

-jvMA)dx  =  j  - 


p(.r|  A)dx. 


We  can  then  show  that 


—  J  p{x\A)dx  =  —1  =  0 


dA  J  —  QA 
which  follows  from  the  definition  of  a  probability  density.  □ 

Continuing  with  the  proof  of  the  theorem,  we  can  then  let 

J  A(X)jjp(X\A)dx-  J  A-^p(X\A)dx  =  J  (A(X)  -  A)  jjp(X\A)dx 


and 


I  (mx)-a) 


1  d 

p(X|T)5l 


(p(X|/l))  p{X\A)dx  =  1. 


Now  substituting  the  relationship 

d 


3a  -  rvp 


(B.5) 

(B.6) 

(B.7) 

(B.8) 

(B.9) 

1  (B.IO) 

(B  .11) 

(B.12) 
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we  have  that 


J  (!(X)  (logp(XU))  p (X\A)dx  =  1. 

Using  the  definition  of  expectation  the  relationship  becomes 


(B  .13) 


d 


E^(d(Z)-fi)  —  (logp(X|T))}=  1. 


The  Cauchy-Schwarz  inequality47  then  gives 


E{(fi(X)-fi)2}EH^logp(X|T)|  \  > 


(B.14) 


o 

EUfi(X)-T)  —  (logp(XU)) 


dA 


d 


Ej(fi(Z)-i)  [E]  —  logp(X|T)(  [>1. 


E{(l(X)-T)2}>E||^logp(X|T)j  j 


Lemma  A2:  For  an  admissible  estimate  of  the  parameter  A 


o  \ 2  ^  /  q2 

E^(  — logp(X|T)j  =-E|—  logp(X|T)^. 


Proof :  From  the  property  of  a  probability  density  we  have 

J  p(X\A)dx  =  1. 

Now  differentiating  both  sides  of  the  relationship 

J  p(X\A)dx  =  0. 

Again,  invoking  Definition  1  and  Leibniz’s  rule  the  relationship  becomes 

d  [  [  d 

—  I  p(X| A)dx  =  I  — p(X| A)dx  =  0. 


47E{t/2}E{V2}  >  \E{UV}\2  [48]. 


=  1 
(B  .15) 
(B  .16) 

(B  .17) 


(B.18) 


(B.  19) 


(B.20) 


(B.21) 
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We  now  use  the  relationship  (B.12)  to  write 


fd\ogp(X\A)  ,VI1W  A 

/  - - p (X\A)dx  =  0  (B.22) 

and  again  differentiate  both  sides  of  the  equation  to  realize 

a  fa logpyru)  ,V11W  f  a  /aiogP(XU)  ,„,,q J  „ 

al  J  — al — «™«  =  Ja-A — al — P(*U)P  =  0  (B23) 

which  is  again  possible  from  Definition  1  and  Leibniz’s  rule.  The  chain  rule  then  gives 
f  d2logp(X|/l)  ,  f  dlogp(X|T)  <9p(X|T)  n 

J  - —2 - P (XWdx  +  J  - Ta - j^-dx  =  0.  (B.24) 


The  relationship  in  (B.12)  is  the  substituted  into  the  second  summand  to  realize 

f  d2  logp(X|/l)  ,VI1W  ,  fd\ogp(X\A)d\ogp(X\A)  ,VI1W  A 
/  - - p(X| A)dx+  /  - — - — - p(X|T)J.r  =  0  (B.25) 


/  + j  (Mi))2p(X|,)rf, = 0 

E{(^)^.E{«)}  D 


(B.26) 

(B.27) 

(B.28) 


To  finish  the  proof  of  the  theorem  we  use  the  result  of  Lemma  A2  in  (B.  17)  to  arrive  at 


E  { (d(X)  -  d)2}  >  -E 


'52iogP(xiT)r 


dA2 


A 


(B.29) 
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APPENDIX  C: 

Proof  of  the  Maximum  Likelihood  Estimate  and  the 
Cramer-Rao  Lower  Bound  for  Source  Localization 
with  Normally  Corrupted  Measurements 

Theorem  A2:  The  maximum  likelihood  estimate  (MLE)for  source  localization  with  nor¬ 
mally  corrupted  measurements  is  given  by 

N  * 

Z(dj  -  dj)(x o  -  Xj)  _ 

d, 

^  (C.l) 

Z(dj  -  di)(ij{)  -  iq)  _ 
di 

1  =  1 

when  o-j  =  cr,  ii  and  the  source  position  is  po  =  U'o,  UoV  ■ 

Proof'.  Since  the  measurements  d  are  corrupted  by  Gaussian  noise  we  can  define  the  joint 
error  distribution  as 


P  (d\d)  =  fl  J_ 

Lf  VW; 


-{di-diY 

e  Y  . 


The  resulting  log-likelihood  function  is  given  by 


l°gp(rf|rf)  =  ^-l0g(V27 TCTi)  + 


-id,  -  diY 


When  we  let  cr,  =  cr,  Vi  the  log-likelihood  function  is  simplified  to 


logp(rflrf)  =  NC  +  ^ 


-jdj  -  dj  f 
2  cr2 


where  C  =  -log(V2/rcr)  is  a  constant.  The  MLE  p  will  then  be  the  location  p  =  [ x,  y  \ 1 
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that  maximizes  logp(rf|rf)  such  that 


p  =  argmaxlogp(rf|d).  (C.5) 

p 

The  maxima  of  (C.5)  can  then  be  found  by  setting  the  first  derivative  equal  to  zero  and 
solving  for  p. 


Lemma  A3:  The  partial  derivative  of  the  distance,  d,  with  respect  to  p  is 

d  (x-Xi) 

— d;  =  - 

dx  di 

and 

d_,  _  (y  -  y>) 

dy  '  di 

Proof :  Let 

di  =11  p  -  p;  II 

=  sj(x-  Xi )2  +  (y  -  yi)2 

then  by  the  chain  rule 

d_d  _ _ 2(x  -  x,) _ 

dx  2yj(x  -  xi)1  +  (y  -  yi)2 
_  (x  -  Xi) 
di 


(C.6) 


(C.7) 


(C.8) 


(C.9) 


The  partial  derivative  with  respect  to  y  follows  from  the  same  methodology.  □ 


Now,  continuing  with  the  proof  of  Theorem  A2,  consider  the  partial  derivative  of  (C.4) 
with  respect  to  ,r 


N 


q  o 

^  logp(d\d)  =  —AC  +  ^ 


d  -( di  -  djY 


dx 

N 

E 

i=  1 


i=  1 

2 (df  -  dj)  d 


2  cr2  dx 


dx  2cr2 
di 


(C.10) 


which  follows  from  the  chain  rule  and  from  the  fact  that  the  derivative  of  a  constant  is  zero. 
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Then  invoking  Lemma  A3  we  have  that 


d_ 

dx 


logp(rf|rf)  = 


Z 


( di  -  d{)(x  -  Xj) 
cr2dj 


(C.ll) 


The  first  partial  derivative  with  respect  to  y  can  be  found  by  analogous  means.  The 
relationship  in  (C.ll)  can  be  further  simplified  when  finding  the  maxima  of  (C.5)  by 
ignoring  the  constant  cr-2  (assuming  the  condition  cr,  =  cr,  di).  ■ 


Theorem  A3:  The  Cramer-Rao  Lower  Bound  for  unbiased  position  estimation  is  given  by 


CRLB  =  ^trll-') 


(C.12) 


and 


where 


lU,j}  = 


-E 


d2\ogp(d\d)  | 

dmdP{j}  J 


y  N  (x-Xj)2  y  N  (x-Xj)(ij-ijj) 

L*i=  I  cr~d2  2j/=i  2d 2 

>  *  ~ 

y/V  (x -Xj)(y-yi)  yJV  (y-yQ- 

A= 1  cr2  d2  A= 1  cr2</2 

l  l 


(C.13) 


(C.14) 


H’/icn  the  distance  measurements,  di,  are  corrupted  by  Gaussian  noise  and  cr,  =  cr,  Vi. 


Proof :  Consider 


IfUl 


-E 


logp(rf|d) 


(C.15) 


where  p  =  [v,  z/]r  so  p{i}  =  ^  and  p{2}  =  y.  The  relationship  in  (C.15)  can  then  be 
expanded  to 


JfU} 


-E<J  —  —  logp(rf|rf) 

ox  ox 


(  d  1  y  (i/  -  di)(x  -  xi) 
1  dx  cr2  4-*  di 

V  1  =  1 


(C.16) 
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which  follows  from  Theorem  A2.  Now,  again  evaluating  the  partial  derivative  we  have 


3  1  y  (di  -  dj)(x  -  xt) 

dx  cr2  dt 

1  =  1 


1  y  3  (dt  -  di)(x  -  xt) 
cr 2  4-*  dx  di 

l- 1 


(C.17) 


which  follows  from  the  product  rule.  Now  substituting  back  into  (C.16)  we  have 


N 


d  1  (di  -  dj)(x  -  .*,■)  -1 


N 


0-2  Es\[dxd‘ 


i=  1 


di 


i= 1 
N 


5 


(T2  A-J  \  dx 

(C.18) 

which  follows  from  the  following  two  relationships  when  the  expectation  is  taken  with 
respect  to  the  RV  d 


d_ 

dx 


di 


d_ 

dx 


di 


d1 


(C.19) 


|  (di  -  di)j-^di  >  =  0. 


The  former  relationship  is  clear  since  the  expectation  is  take  over  a  constant  relative  to  d. 
The  latter  relationship  follows  from  the  fact  that  Ej  |J,-  -  <7,  j  =  0  if  the  estimate  is  unbiased. 
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Finally,  we  use  the  result  of  Lemma  A3  to  expand  (C.18)  to 


This  result  can  be  easily  extended  by  Lemma  A3  to  show 


l{2,2} 


1  N 

1=1 


(y  -  yiY 

d} 


(C.20) 


(C.21) 


The  off-diagonal  elements  of  I  can  be  found  by  replacing  the  second  derivative  in  (C.16) 


with 


I{1>2} 


[d_  J_  yi  (dj  -  dj){x  -  Xj ) 
[dy  0-2  “ f  dj 


(C.22) 


Evaluating  the  partial  derivative  with  respect  to  y  we  have 


_d_  J_  yi  (dj  -  dj)(x  -  Xj ) 
dy  cr2  dj 


N 


d  (dj  -  dj)(x  -  Xj ) 


-L  y 

cr2  Y—i  Qy 

;=l  • 

1  N  a 

1  ^  d 

cr2  4-*  dy 
;=l  J 

1  d  *.  d 
~l  JYyidi  ~  d^Jxd'  +  idl 


dj 


(dj  -  dj)—dj 
dx 


,,9  d  , 

di)x—x^di 

dy  dx 


(C.23) 
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Then,  substituting  this  result  into  (C.22)  we  have 


(C.24) 


where  the  last  step  follows  from  the  results  enumerated  in  (C.19).  Finally,  using  the  results 
of  Lemma  A3  we  have 


1  (  d  A  l  d  7  \ _  1  */)(«/  ~  yd 

cr2^\dy ‘  {dx  1  ~  a2  A}  d2 

7=1  '  '  '  '  i= 1  i 


(C.25) 


Note  that  the  matrix  I  will  be  symmetric,  therefore,  I{i,2}  =  I{2,1}-  ■ 
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APPENDIX  D: 

Derivation  of  the  Maximum  Likelihood  Estimate 
Associated  with  pjy(x)  *  puM 

In  this  section,  a  derivation  of  the  convolution  pu(x)  *  pu(x)  is  given.  To  begin,  recall 


1  -W2  9 

Pn(x)  =  —  e  ^  =  U (0,  cr2) 

y2ncr 


(D.l) 


Pu(x)  =  ~I[-r/2,r/2]  (x) 

where  I[-r/2,r/2](-)  is  the  indicator  function  with  support  e  [— r/ 2,  r/2]. 
Next,  using  t  as  the  dummy  variable  for  the  convolution  we  have 

1  rx+T/ 2  1 

Pn(x)  *  pu(x)  =  -  —  e  “<7_2  dt. 

T  Jx-t/2  yJlTtcr 


Evaluating  the  integral  we  have 


1  fX+r/2  t  1  /  t\  x+t/2 

-  /  _  e  2<r2  dt  =  -  ®  — 

T  Jx-t/2  YhtCT  T  '  x-t/2 


*  -  r /2 


where 


x  —  p 


is  the  cumulative  density  of  Af(//,  cr2). 


(D.2) 


(D.3) 


(D.4) 


(D.5) 


Next,  to  find  the  maximum-likelihood  estimate  (MLE)  of  p^{x)  *  pij(x)  for  positioning 
applications  consider 

p  =  argmax  logp(rf|rf)  (D.6) 

p 
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where 


N 

\ogp(d\d)  =  ^\ogp(di\di).  (D.7) 

i=  1 

and  d  =  [c/i,  di, . . d^V  is  the  set  of  actual  distances  to  the  N  eNBs,  d  =  [d\,  c/2, . . .  YnV 
is  the  set  of  measured  distances  to  the  N  eNBs.  The  above  density  given  in  (D.4)  can  be 
reformulated  for  the  positioning  problem  with  non-zero  mean  as 


p  (di\di)  = 


di  -  di  -  r/2 


o-i 


-O 


di  -  di  +  r/2 


o-i 


(D.8) 


The  corresponding  MLE  can  then  be  found  as 


d\ogp(d\d) 


d.x 

N 


i  t  d 

-  Yj  [nU,  -  di  -  r/2,  cr2)— c/; 

(=l  ' 


d 

-N(di  -  di  +  r/2,  cr2)—di 

ox 


d\ogy{d\d) 

dy 

N 


1  /  f) 

-  Yr-\di)  \N(di  -  di  -  r/2, cr2)—dj 

r  i  \  n u 


T  1 

1— 1 


dy 

-N ( di  -  di  +  r/2,  cr2)—di 
dy 


(D.9) 


where  we  have  assumed  for  simplicity  that  cr,-  =  cr  Vi,  and 


^  !di  -  dj  -  t/2\  ldi-dj  +  r/2 
T{di)  =  ®  I  - - : - —  I  -  O  1 


cr 


cr 


(D.10) 
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Then  continuing  the  differentiation  and  invoking  Lemma  A3  we  have  that 


dlogp(rflrf)  _ 

dx 

[N^i  +  di  -  r/2, cr2) 

i=i  1 

-N  ( Hi  +  di  +  r/2,  cr2) 

aiogp(rflrf)  _ 

dy 

-y\T~l(di)^y  —  (Nim  +  di  -  r/2,  cr2) 

7  ti 

+  di  +  r/2,  cr2) 

Setting  these  gradients  to  zeros  yields  the  exact  MLE  p  for  an 

PaK*)  *  Pt/U)-  ■ 


(DU) 


error  characterized  by 
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APPENDIX  E: 

Proof  of  the  Variance  of  N'  at  Extrema  of  r 


Theorem  A4: 


limvarlAf'}  =  crt, 
r->0  V*  N 


where  cr2N  is  the  variance  of  the  latent  RV. 


Proof :  Recall  that 


«« ■  P-W 


where  Pn  ff)  is  the  characteristic  function  (CF)  of  N'  [49].  Therefore,  the  second  moment 
is  explicitly  given  by 


E{N*}  =  .HafU 

df - 


since  j  2  =  -1.  Recall  also  that 


Pn'(<P)  =  2  “  2nn/T). 


Lemma  A4:  If  U  is  uniform  then  its  CF  is  given  by 


Pu(cf>)  =  sine 


Proof :  Note  that  if  U  ~  y  1\-t/2,t/2\(x)  then 


1  fT/2 

P[j(<P)  =  -  /  e~J^xdx 
T  J-t/2 


\x=-t/2 
1  (  i$L 

-- —  \e  2  -  e  2 
jfT  V 
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2sin(0r/2) 

CpT 

sin(0r/2) 


<Pt/ 2 


(E.7) 


where  the  last  step  follows  from  the  definition  sinc(.i')  =  sin(.r)/.v'  and  thus  implies 
zero  crossings  at  cp  =  2 nk/r  where  k  e  Z.  Note  also  that  Pij(O)  =  1  which  satisfies 
the  requirement  that  fx  p u(x)dx  =  1.  □ 


Lemma  A5:  If  N  is  normal  then  its  CF  is  given  by 

~(<pa-)2 

PN((P)=e—.  (E.8) 


Proof :  Note  that  if  N  ~  N( 0,  a2)  then 

f°°  1 

Pn(<P)  =  /  —7 

J- co  cry' 


? 2(t2  e  j<pxdx 


-L 


vjln 

1  -X1 

e2 o-2  cos{<px)dx 


oo  cr 

-(0Q-)2 

=  e  2 


(E.9) 


The  second  step  of  (E.9)  follows  from 


/i a  i*a  i*a  ra 

e~ixdx  =  /  cos  (x)dx  +j  sin(^:)J.x:  =  / 

a  J  —a  J -a  J  —a 


cos  (x)dx 


(E.10) 


and  the  last  step  in  (E.9)  is  given  by  Abramowitz  and  Stegun  [76].  Note  also  that 
Pjy{ 0)  =  1  which  satisfies  the  requirement  that  fx  pu(x)dx  =  1.  □ 


Next,  continuing  with  the  proof  of  Theorem  A4,  let  r  — >  0  so  that  Pjvf<P)  *  A((p)  = 
Pu((p)P/y((p )  (cf.  Chapter  6).  Now  to  calculate  the  second  moment,  by  (E.3),  Lemmas  A4 
and  A5,  and  the  product  rule,  we  have 


d(p- 


PuWPnW  =  —7T  sinc  "7T  T7  e 


dcp 


<pT  \  d 


2  J  dcp 


-(0p~) 


+ 


d_ 

dcp 


sine 


CpT 

Y 


~(<f>o-) 


(E.  11) 
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And  again  we  invoke  the  product  rule  to  find  that 


cP_ 

dcf)2 


Pu(<p)PN(<P)  = 


-  sine 


|  sine 


e  2 


(E.12) 


Now  evaluating  individual  elements  of  (E.12)  at  (p  =  0,  we  have  that 

=  0 


d  -(0o-)2 

—e  2 
d(p 


0= o 


d  I  <pr\ 

—sine  — 
dcf)  V  2  / 

dr  -(0Q-)2 
-e  2 


=  0 


d(p- 

dr  (  4>t\ 

— ^sinc  — 
dep 2  V  2  / 


0=0 


0=0 


0=0 


(E.13) 


— o 


1 2 


where  the  first  three  relationships  follow  directly  and  the  last  follows  from  the  variance  of 
a  uniform  random  variable.  Using  these  results  (E.12)  can  be  simplified  to 


dcf) 


Finally,  it  is  straightforward  to  verify  that 


d2  T2 

Pu(,4>)Pn(,4>)  =  0-2  + 


(E.14) 


lim  o  +  — —  —  o  . 

r->0  12 


(E.15) 


Note  that  the  assumption  that  used  to  arrive  at  (E.14)  was  that  /V'(0)  ~  A(0)  which 
requires  that  t  <  e  where  e  is  some  sufficiently  small  number  (cf.  Chapter  6).  ■ 


Theorem  A5: 


lim  var  {AC} 


=  0 


0=0 


(E.16) 
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Lemma  A6:  If  the  annular  offset  is  if  =  r/2  then 

PN'(x)  =  ^ 6(x  +  r/2)  +  ^6(x  -  r/2)  (E.20) 

when  t  — »  oo. 

Proof :  Let  the  impulsion  train  be  IIIr(.x:  -  r/2)  so  that  the  annular  offset  is  ^  =  r/2 
which  is  the  worst  case  ip  in  terms  of  the  resulting  variance  of  N'  when  r  — >  oo.  The 
resulting  shifted  version  of  p^fx)  can  then  be  approximated  as  (E.20)  for  sufficiently 
large  r. 

To  see  this  recall  that  p^r(ri)  =  fn  ad(x  -  nr)  and  consider  summands  where  n  P 
0, 1.  Recall  that  when  the  annular  offset  if  ±  0,  then  (6.13)  can  be  expressed  as 
an  =  ff'[(I)(nr  +  r/2  -  if)  -  ©(/?r  -  r/2  -  if)]  when  d  =  0.  Thus,  when  if  =  r/2, 
an  =  a/[©(nr)  -  ©  (nr  -  r)]  which  is  calculated  explicitly  by 

PUT 

Ctn  =  /  PN'(x)dx.  (E.21) 

J  nr—T 
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Next  note  that 


PUT  P  — oo 

lim  /  pN'(x)dx  =  /  pn>(x)cIx  -  0. 

r— >o°  J nj_T  Vn< 0  •/— oo 


It  then  follows  from  the  fact  that  p^dx)  is  even  that 


(E.22) 


PUT  poo 

lim  /  pu'(x)dx  =  /  pw(x)dx  =  0. 

r— >°o  J nj  T  \/n>  1  ./oo 


(E.23) 


Conversely,  when  n  6  {0, 1} 


PUT 

lim  / 

r-*ro  J„r_r 


PM'(x)dx  = 


lrc=0  ./-OO 


(E.24) 


PUT  PC 

lim  /  pN'(x)dx  =  / 
T— >°0  J nT_T  |  Jo 


PN'{x)dx  = 


(E.25) 


Next,  continuing  with  the  proof  of  Theorem  A5,  the  resulting  Fourier  transform  of  (E.20)  is 


Pn'W 


J  1^6 (x  +  r/2)  +  -  r/2)  j  <?  }<pxdx 


-  Le-j<pr/2  +  _ej<t>T/ 2 
2  2 

=  cos(0r/2). 


(E.26) 


Next  substituting  (E.26)  into  (E.3)  we  have 


d2/V(0)| 


■— -7COS(0t/2) 

d(p~  (/>=o 

~rrd  sin(0r/2) 
dQ  2  0=o 

.2 

—  cos(0r/2) 


(E.27) 
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Finally,  letting  r  — »  oo  we  have 


lim  - 

T  — >00 


J2/VW 

dcp 2 


<P=o 


lim  —  =  oo. 

T  — >00  4 


(E.28) 
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APPENDIX  F: 

Proof  that  /\"(0)  =  Ao(0),  Vt/r  when  r  =  e 


Theorem  A6:  If  pu(x)  is  normally  distributed  with  variance  cr2  then  when  r  =  e 


Puff)  =  Ao(f) 


for  sufficiently  small  e. 


Proof:  Let  if  -  0  and  consider  the  definition 


Puff)  =  Y_i An W  ~  27™/t) 


where  it  was  previously  shown  in  Chapter  6  that 


-(0CT)2  (d)T 

A(f )  =  e  2  sine  la¬ 


under  the  assumption  that  psj{x)  is  normally  distributed  with  variance  cr2  and  pij(x)  is 
uniformly  distributed  e  [-r/2,  r/2].  Each  copy  of  (F.3)  represented  in  the  sum  (F.2)  as 
shifted  from  the  origin  by  Inn/T  (observe  also  that  (F.3)  is  even). 


It  is  clear  that 


Inn 

lim - =  oo. 

r— » 0  r 


Therefore,  all  terms  in  (F.2)  where  n  A  0  will  be  centered  at  ±oo.  Now  when  r  =  e  the 
summand  when  n  =  1  is  centered  at  2/r/f  which  «  oo  for  sufficiently  small  e. 


Lemma  A7: 


lim  A(f)  =  0. 


Proof :  Consider  the  Gaussian  multiplicand  in  (F.3)  which  is  piece-wise  monotonic 
about  its  mean  and  independent  of  r.  Note  that  at  its  extrema 


~(<f>o-)  ~(<po-) 

lim  e  2  =  lim  e  2  =0. 

(p — > — OO  (J) — >oo 
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Therefore,  from  the  property  that 


lim/  •  h  =  (lim/)  •  (lim/?) 

x-*z  \x->z  J  \x-*z  / 


the  lemma  follows.  □ 


(F.7) 


Now  for  the  shifted  versions  of  (F.3)  we  have  that 


-((4>-2nn/€)o-)2  ( (6  -  2nnl e)e 

lim  e  2  Sinc  L: - 

0 — >0  y  2 


nj=0 


-(4HT)1  ( (be 

lim  e  2  sinc  — _ 
0^00  \  2 


=  0 

72^0 


(F.8) 


where  the  equality  to  zero  follows  from  Lemma  A7.  Therefore,  A„(0)  ~  0,  VA„  where 
n  ±  0  and  the  contributions  in  the  sum  of  (F.2)  by  A„  where  n  ±  0  are  effectively  null.  In 
other  words 


^Anicf)  -2nn/e) 

n 


(p=0 


•  •  •  0  +  0  +  A0(0)  +  0  +  0  +  •  •  • 


and  it  can  thus  be  concluded  that 


(F.9) 


/V(0) U=o,T=e  =  X  Am(0  -  2 nn/e)  =  A0(0)  (F.10) 

n 

when  if/  =  0.  Now  let  ifj  ±  0  then  (F.2)  becomes 

=  e~^YjAn^~2  ™/t)  (F.l  1) 

n 

and 

A((p )  =  e~-  sinc  .  (F.12) 

Here,  (F.9)  still  applies  and  so  Lemma  A7  is  still  valid  for  ifj  =£  0.  Now 

PN\<P) |0=o,T=e,^o  =  ^"7°,A  X  A"(0  “  2nn/e)  =  Ao(0)  (R13) 

n 

so  that  the  theorem  holds  Vi )j.  ■ 


126 


APPENDIX  G: 

Sufficient  Condition  for  Var(Af')  >  Var(Af) 


Theorem  A7:  The  lower  bound  on  the  RMSE  for  a  RV  after  quantization  will  always  be 
higher  than  the  CRLB  iff 

t<3.4ct.  (G.l) 


Proof :  It  has  been  previously  shown  in  Appendix  E  that  the  minimum  value  of  Var (AT) 
occurs  when  there  is  no  annular  offset  (i.e.,  1 1 1 T  (x  -  0)).  Therefore,  since  this  value  of  f 
results  in  minimum  variance  in  the  quantized  RV  N'  and  the  variance  of  N'  for  all  other 
offsets  such  that  \p  A  0  will  be  equal  to  or  larger  than  N ,  this  is  the  only  condition  which 
needs  evaluation.  The  variance  of  N'  for  f  =  0  is  given  by 

/oo 

x2and(x  -  m)dx 

OO 

oo 

=  Yj  ( nT)2an  (G.2) 

n=—oo 

°°  put+t/2 

=  Y  (nT^~  /  PN(x)dx 

co  Jm-T/2 

where  is  the  cumulative  density  of  x.  The  first  step  follows  from  the  definition  of 
variance  of  a  zero  mean  random  variable.  The  second  step  follows  from  f(x)6(x  -  a)  = 
f(a)6(x  -  a)  and  J  6(x)dx  =  1.  The  third  step  follows  from  an  =  fq  p^(x)dx  where  the 
definite  integral  is  over  the  interval  qn.  To  see  this  recall  that 


PNfx)  =  fflT0)  (pu O)  *  pu(x )) 

OO 

=  Y  ,7T)  (pu(x)  *  Pu(x)) 

n — — oo 
oo 

=  Y^  d(x  -  nr)  (0(.v  +  r /2)  -  0(.v  -  r/ 2)) 

n — — oo 
oo 

=  ^  6(x  -  nr)  (0(nr  +  r/2)  -  ® (nr  -  r/2)) 

11  —  —  oo 


(G.3) 
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OO  n 

2  S(x-nr)  / 


nr+r/2 


Pu(x)dx. 


Therefore, 


nr-r/2 
nr+r/2 

a,,  =  /  p/sf(x)dx. 

I  ht-t/2 


-l 


(G.4) 


(G.5) 


Now,  as  a  first  approximation  of  pw(x),  assume  that  r  >  e  so  that 


P/V'C*)t  =  +  r)  +  <2o5(-*;)  +  «i <5(jc  -  r) 


(G.6) 


where  the  subscript  1  denotes  the  indices  of  cin  considered  in  the  approximation.  Applying 
(G.2)  to  (G.6)  we  have 


Var(AOt  =  (-r)20  (-^)  +  (0)2  (o  (0  -  O  (^))  +  (r)2  (l  -  ® 

=  (-)2®(t)  +  (t)2®(t 


(G.7) 


=  2r-<D 


which  leads  to 


2r"0  I  —  I  <  cr2. 


Then  solving  for  r  we  have 


r  <  3.4cr. 


(G.8) 

(G.9) 


To  begin  to  quantify  the  fidelity  of  the  approximation  given  in  (G.6)  let  it  be  extended  to 
PN'(X) 2  =  2<5(x  +  2 r)  +  a-\5(x  +  r)  +  ciq8(x)  +  a\8(x  -  r)  +  aofi(.v  -  2 r).  (G.10) 


In  this  case  the  variance  is  given  by 
Var(yV')2  =  (-2  r)20 


+  (t)2  (y- 


4>i-))  +  (2r)qi-*(|: 


(G.ll) 
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Figure  G.l.  The  error  associated  with  using  the  first-order  variance  approx¬ 
imation  parameterized  by  r  is  presented  in  this  figure.  Both  the  resulting 
error  and  r  are  normalized  by  cr. 


Now  in  order  to  understand  when  the  first  order  approximation  given  in  (G.6)  is  no  longer 
valid,  consider  the  difference  between  the  two  approximations  of  variance 

Var(JV')2  -  Var(AOi  =  6r2®  .  (G.12) 

The  resulting  error  between  the  two  approximations  of  VarfAT)  is  shown  in  Figure  G.l.  By 
inspection,  one  finds  that  the  initial  first-order  approximation  is  appropriate  for  finding  the 
upper  bound  on  r  since  the  error  associated  with  pw(x)i  is  negligible.  Specifically,  the 
error  associated  with  using  the  first-order  approximation  at  r  =  3.4  is  1.1779  x  10-5.  One 
may  thus  conclude  that  further  approximation  of  the  bound  is  not  necessary  and  that  the 
sufficient  condition  for  Var(W')  >  Var(AO  is  r  <  3.4<x  Vi/f.  ■ 
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APPENDIX  H: 

Link  Budget  for  Empirical  CeSAR  Validation 


When  conducting  the  empirical  CeSAR  validation  accurate  distance  estimates  were  highly 
dependent  on  the  strength  of  the  received  signal.  This  appendix  details  the  solution  approach 
taken  to  ensure  the  received  signal  was  strong  enough  to  provide  a  distance  estimate. 

Among  the  challenges  associated  with  the  hardware  was  inter-chain  leakage,  transmit  power 
limitations,  and  large  losses  associated  with  free  space  transmission  and  cable  propagation. 
The  transmit  and  receive  chains  had  an  approximate  isolation  of  40  dB,  therefore,  if  the 
received  signal  was  not  strong  enough  the  leakage  signal  would  dominate  and  the  measure¬ 
ment  would  be  corrupted.  The  resulting  distance  estimate  would  be  zero  meters  since  there 
is  a  negligible  propagation  delay  for  the  leakage  signal. 

Additionally,  the  USRP  transmit  and  receive  gain  variables  are  not  well  defined  and  do 
not  necessarily  translate  to  dBm48.  Our  measurements  indicated  the  USRP  gain  values 
corresponded  to  the  transmit  powers  via  the  relationships  shown  in  Table  H.l.  The  transmit 
power  was  measured  with  a  spectrum  analyzer  as  the  peak  power  at  the  transmit  frequency 
for  a  BPSK  sequence. 

Table  H.l.  Correlation  between  USRP  gain  values  and  actual  transmit  pow¬ 
ers 


USRP  Gain  Value 

Transmit  Power  (dBm) 

0 

-10 

20 

9.65 

26 

15.41 

30 

18.32 

40 

18.64 

In  order  to  determine  the  link  budget  associated  with  the  experiment  in  Chapter  8,  we  now 
enumerate  the  losses  associated  with  the  system  used  which  is  shown  in  Figure  H.l.  First, 
the  loss  associated  with  the  coaxial  cable  was  given  by  the  manufacturer  as  -12.6  dB/100  m. 
For  the  150  m  length  of  cable  used  in  this  experiment  the  total  loss  is  theoretically  18.9  dB 

48In  other  words,  a  transmit  gain  of  20  +  20  dBm. 
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Figure  H.l.  The  link  budget  of  the  CeSAR  validation  experiment 


and  was  measured  at  «  20  dB. 


The  loss  associated  with  wireless  transmission  L  can  be  calculated  as 


L  -  lOylog 


(H.l) 


where  y  is  the  path  loss  exponent,  d  is  the  distance  of  the  wireless  channel,  and  A  is  the 
wavelength.  When  transmitting  at  915.1  MHz  for  a  100  m  wireless  channel  this  results  in  a 
path  loss  of  «72  dB  to  «143  dB  assuming  a  path  loss  exponent  of  2  and  4  respectively. 

The  overall  system  loss  was  overcome  with  a  medium  power  amplifier  on  the  transmit 
antenna  and  a  low  noise  amplifier  on  the  receive  antenna.  The  signal  is  first  attenuated  by 
the  cable  assembly,  then  amplified  by  the  medium  power  amplifier  before  it  is  broadcast  at 
the  transmit  antenna.  Assuming  the  USRP  transmits  at  15  dBm  (cf.  Table  H.l)  this  means 
the  transmit  power  before  the  Tx  antenna  is  25  dBm.  Standard  dipole  antennas  (3  dBi) 
were  used  for  transmission  and  reception.  The  signal  then  experiences  path  loss  from  the 
wireless  channel  before  it  is  amplified  by  the  40  dB  low  noise  amplifier.  The  overall  system 
loss  including  amplifier  gains  is  -16  dB  to  -87  dB  for  a  y  of  2  to  4  respectively. 

The  length  of  the  PN  sequence  was  also  leveraged  to  increase  the  processing  gain.  In  our 
case,  a  12th  order  LFSR  was  used  which  corresponds  to  4095  bits  or  «  36  dB  of  processing 
gain. 

Assuming  the  USRP  does  transmit  at  15  dBm  then  the  received  signal  power,  before  it  is 
amplified  by  internal  USRP  amplifiers  is  anywhere  from  -1  dBm  to  -72  dBm.  Finally,  after 
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amplification  from  internal  power  amplifiers,  the  resulting  correlation  peak  is  then  amplified 
in  processing  by  36  dB.  Due  to  the  potential  for  received  signals  to  have  very  low  power,  the 
magnitude  of  the  correlation  peak  is  used  to  validate  the  reception  of  a  sufficiently  strong 
signal.  If  the  correlation  peak  is  significantly  larger  than  the  correlation  noise  floor  a  valid 
distance  measurement  is  recorded. 


133 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


134 


APPENDIX  I: 

GNU  Radio  Code  for  Generating  a  BPSK  PN 
Sequence  and  Synchronizing  USRP  Tx/Rx  Chains 

#!/usr/bin/env  python2 

#  coding:  utf-8 

################################################## 

#  GNU  Radio  Python  Flow  Graph 
################################################## 

from  gnuradio  import  blocks 
from  gnuradio  import  digital 
from  gnuradio  import  eng_notation 
from  gnuradio  import  gr 
from  gnuradio  import  uhd 

from  gnuradio . eng_option  import  eng_option 

from  gnuradio . filter  import  firdes 

from  optparse  import  OptionParser 

import  time 

import  numpy  as  np 

import  matplotlib .pyplot  as  pit 

import  os 


class  gnuradioflowCgr . top_block) : 
def  _ init _ (self) : 

gr . top_block. _ init _ (self,  "Gnuradioflow") 

################################################## 
#  Variables 

################################################## 
self . samp_rate  =  samp_rate  =  25e6 
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self . constellation  =  constellation  = 

digital . constellation_calcdist(( [- 1 ,  1]),  ([®,  1]),  4,  l).base() 
self . center_freq  =  center_freq  =  915. Ie6 

################################################## 

#  Blocks 

################################################## 

self . usrp_source  =  uhd.usrp_source( 

,  .joinCC  ,  )), 

uhd . stream_args  C 
cpu_format="fc32" , 
channels=range(l) , 

), 

) 

self .usrp_source . set_samp_rate(samp_rate) 

self .usrp_source. set_center_freq(center_freq,  0) 

self .usrp_source . set_gainC2® ,  0)  #Receive  chain  amplifier  gain 

self .usrp_source. set_antenna("RX2" ,  ®) 

self .usrp_source . set_bandwidth(samp_rate ,  0) 

self .usrp_sink  =  uhd.usrp_sink( 

,  .joinCC  ,  )), 

uhd . stream_args ( 
cpu_format="fc32” , 
channels=range(l) , 

), 

) 

self .usrp_sink. set_samp_rate(samp_rate) 

self .usrp_sink. set_center_freq(center_freq,  0) 

self .usrp_sink. set_gain(26 ,  0)  #Transmit  chain  amplifier  gain 

self .usrp_sink. set_antenna("TX/RX" ,  0) 

self .usrp_sink. set_bandwidth(samp_rate ,  0) 

################################################## 

#  Approximate  measured  gains  for  URSP  gain  value 

#  -  Measured  as  peak  value  of  BPSK  signal 
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################################################## 

#  USRP  Gain  Value  Actual  Gain 

# 


# 

0 

- lOdBm 

# 

20 

9.65  dBm 

# 

26 

15.41  dBm 

# 

30 

18.32  dBm 

# 

40 

18.64  dBm 

################################################## 

############################################################## 

#  Synchronize  Tx/Rx  Chains  (starts  chains  100ms  in  the  future) 
############################################################## 
start_time=self .usrp_sink. get_time_now() . get_real_secs()+ . 1 
self . usrp_sink . set_start_time (uhd . time_spec (start_time) ) 
self .usrp_source . set_start_time(uhd. time_spec(start_time)) 

self . digital_glfsr_source_x_0  =  digital . glfsr_source_b(12 ,  False, 

0,  1)  #sets  GLFSR  order  to  12 

self . digital_constellation_modulator_0  =  digital . generic_mod( 
constellation=constellation , 
differential=True , 
samples_per_symbol=2 , 
pre_diff_code=True , 
excess_bw=© . 35 , 
verbose=False , 
log=False , 

) 

self .blocks_multiply_const_vxx_0  =  blocks .multiply_const_vcc((0 . 5 , 
))  #prevents  overloading  amplifiers  during  Tx 

self .blocks_head_0  =  blocks .head(gr . sizeof_gr_complex*l , 

int(samp_rate/1000))  #sets  number  of  samples  of  the  rxwave  to 
save 

self .blocks_file_sink_l  =  blocks. file_sink(gr . sizeof_gr_complex*l , 
"/home/USER/Desktop/rxwave" ,  False)  #location  to  save  rxwave 
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self .blocks_file_sink_l . set_unbuffered(False) 

self . blocks_file_sink_©  =  blocks. file_sink(gr . sizeof_gr_complex*l , 
"/home/USER/Desktop/txwave" ,  False)  #location  to  save  txwave 
self ,blocks_file_sink_© . set_unbuffered(False) 

################################################## 

#  Connections 

################################################## 

self . connect((self . blocks_head_®,  ®)  ,  (self .blocks_file_sink_l ,  ®)) 
self . connect((self .blocks_multiply_const_vxx_®,  ©) , 

(self .usrp_sink,  ®)) 

self . connect((self . digital_constellation_modulator_® ,  ®) , 

(self . blocks_file_sink_® ,  ®)) 
self . connect((self . digital_constellation_modulator_® ,  ®) , 

(self . blocks_multiply_const_vxx_® ,  ®)) 
self . connect((self . digital_glfsr_source_x_® ,  ®) , 

(self . digital_constellation_modulator_® ,  ®)) 
self . connect((self .usrp_source,  0),  (self .blocks_head_® ,  0)) 

def  get_samp_rate(self) : 
return  self . samp_rate 

def  set_samp_rate(self ,  samp_rate) : 
self . samp_rate  =  samp_rate 

self .blocks_head_® . set_length(int (self . samp_rate/8)) 
self .usrp_sink. set_samp_rate(self . samp_rate) 
self .usrp_sink. set_bandwidth(self . samp_rate ,  ®) 
self .usrp_source. set_samp_rate(self . samp_rate) 
self .usrp_source. set_bandwidth(self . samp_rate,  ©) 

def  get_constellation(self) : 
return  self . constellation 

def  set_constellation(self ,  constellation) : 
self . constellation  =  constellation 
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def  get_center_freq(self) : 
return  self . center_freq 

def  set_center_freq(self ,  center_freq) : 
self . center_freq  =  center_freq 

self . usrp_sink . set_center_freq(self . center_freq ,  0) 
self .usrp_source . set_center_freq(self . center_freq,  0) 


def  main(top_block_cls=gnuradioflow,  options=None) : 

tb  =  top_block_cls() 
tb . start () 
tb . wait() 

itr  =  10  #  Number  of  automated  measurements  to  take,  keep  this  number 
low  in  order  to  avoid  burning  out  the  Tx/Rx  chains 
samples  =  range(itr)  #  The  measured  distances  will  be  saved  here 
corr  =  range (itr)  #  This  will  save  the  peak  correlation  value  to  review 
in  post-processing 

thresh  =  1500  #  This  is  the  threshold  the  correlation  peak  must  exceed 
in  order  to  be  a  valid  measurement 

for  x  in  range(l,  itr+1) : 
i  =  0 
z  =  [0] 

while  (z[i]  <  thresh  or  dist  <  0): 
tb  =  top_block_cls() 
tb . start O 
tb.waitO 

rx_read_complex_binary  =  np . fromfileC ’../■■ /Desktop/rxwave ’ , 
dtype=np . complex64) 
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tx_read_complex_binary  =  np . fromfile( /Desktop/txwave ’ , 
dtype=np . complex64) 
rx  =  rx_read_complex_binary.real 
tx  =  tx_read_complex_binary.real 

z  =  np . correlate(rx ,  tx,  "full") 
i  =  np.argmaxCabs(z)) 

dist  =  (i  -  zerodist)  *  299792458/tb . samp_rate  #Calculate  the 
distance  from  the  max  correlation  index 

print  "trial  "  +  str(x)  +  ":  "  +  str(dist)  +  "  meters,  correlation  @:  " 
+  str(i) 

samples[x-l]  =  dist 
corr[x-l]  =  abs(z[i]) 

#Optionally  plot  the  correlation  peak  and  the  received  signal 

plt.plot(abs(z)) 

pit . show() 

plt.plot(rx) 

pit . show() 

print  "mean:  "  +str(np.mean(samples)) 
si  =  open( ’ /home/jroth/Desktop/Samples ’ ,  ’wb+’) 
si . write(str(samples)) 
si .  closeO 

si  =  open(’/home/jroth/Desktop/Correlation’ ,  ’wb+’) 
si . write(strCcorr)) 
si .  closed 


if _ name _ ==  ’ _ main _ ’  : 

main() 
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